On Wed, Jul 28, 2021 at 04:39:39PM +0200, Josh Good
<postfix.2016...@naleco.com> wrote:
Hello everybody.
I've been made aware of this communication recently received at some
site whose email is managed on-premises (i.e., not outsourced to any
big mailbox provider in the "cloud"):
> From: Rhenus Logistics <no_re...@es.rhenus.com>
> Sent: 30 June 2021 17:05
> To: [omitted]
> Subject: Email con TLS inferior a 1.2 / Email with TLS less than 1.2
>
> Good Afternoon,
> We inform you that due to Rhenus security policies, as of 08/01/2021
> receiving of emails that do not comply with version 1.2 of the TLS
> protocol will be restricted.
> All emails sent in particular to the domain @es.rhenus.com and in
> general to any Rhenus domain @*.rhenus.com must be sent with the TLS
> 1.2 protocol or higher.
> Any mail received without fulfilling this condition will be rejected
> by our server.
> Please forward this message to your IT department for consideration
> and action.
> If you have any questions, please head over your Rhenus contact
>
> IT //SERVICES
The above could mean that starting 08/01/2021 their TLS support will
only support TLS 1.2 (and not any earlier TLS version) with their
inbound SMTP servers remaining configured in "opportunistic TLS" mode
--- or it could be read as if they will enable "smtpd_enforce_tls = yes"
(or "smtpd_tls_security_level = encrypt") in their inbound SMTP servers
(I don't know if they are using Postfix, but you get what I mean).
If the case is the second one, is that a current trend? Has rfc2487
been obsoleted and mandatory TLS is now considered "industry standard"
in publicly-referenced SMTP server?
I've tried to contact Rhenus IT Services to inquire about this, but my
phone calls haven't gone through. So I thought I may as well ask this
list if this a single case or the "new normal"...
On 29.07.21 10:26, raf wrote:
RFC2487 has been obsoleted, but only because it's been
replaced by RFC3207, and then further updated by
RFC7817. It hasn't gone away. It's just been updated.
note that both 2487 and 3207 just describe how to upgrade from plaintext to
TLS connection. They don't describe if/when to upgrade and what to do if the
upgrade is not possible (or fails)
On my little personal mail server, 75% of incoming
connections to port 25 are plaintext. Only 25% use
STARTTLS (by definition). Disabling STARTTLS would
be a disaster, and stop all incoming mail.
you apparently mean:
"Requiring STARTTLS would be a disaster, and stop 75% of incoming mail"
I'm sure that Rhenus will still use STARTTLS on port
25. They'll just require STARTTLS to be used and
they'll only support TLSv1.2+. The only alternative
would be to close port 25, use port 465 (TLS-only)
instead, and hope that all mail servers that want to
send them email try to use port 465. But that's not
going to happen.
many of mailservers refuse unauthenticated mail on port 465, so this is
no-go.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.
