On 2021 Jul 29, 10:01, Viktor Dukhovni wrote: > > On 29 Jul 2021, at 8:17 am, raf <post...@raf.org> wrote: > > > > The Rhenus email did say: > > > > "...must be sent with the TLS 1.2 protocol or higher. > > Any mail received without fulfilling this condition > > will be rejected by our server." > > > > That second sentence sounds to me like a definite > > statement that an SMTP connection that doesn't initiate > > STARTTLS will not be able to send email. At least, I > > can't see how else to interpret those words. > > The simplest thing they could do is just disable TLS 1.0. > This would also comply with some brain in neutral audit. > > My money is on brain in neutral, as opposed to a carefully > considered risk assessment in which they've concluded that > they only receive legitimate email from TLS-1.2-capable > senders.
Well, there is also the third option, the kamikaze approach: we're disabling TLS 1.0, and while we are at it we will also disable this "backdoor" we just found of "plain text" connections to our world-facing SMTP servers... Risk assessments?, what are those? This is security! -- Josh Good
