Josh, On 7/29/21 9:13 AM, Josh Good wrote: > Well, it's not exactly clear, in the Rhenus notification, whether they > are just disabling TLS 1.0, or that plus also disabling plain text SMTP. > > Viktor thinks it's just the first case. But we should not underestimate > the push that a checklist-based security audit can exert on an > overburdened IT Dept.
I bet a beer that they're going the second path: enforce TLS1.2 + disabling plain text SMTP. Although I think this is not a good idea imho the first path (enforcing TLS1.2 but still keeping plain) is just plain stupid ;-) They would not gain anything by doing so, because imho a TLS1.0 connection is better than a fallback on plain. Do not get me wrong I think it's a good idea to push towards using only strong TLS versions/ciphers but the implementation may cause far more problems than expected. Just take the case when they loose a huge customer order because customer still operates an Exchange 2003 server, which by best can talk TLS 1.0. Then Management will soon show up in IT department and highly probably ignore the fact that it was them pushing this policy in first place ;-) Cheers tobi
OpenPGP_signature
Description: OpenPGP digital signature
