On 29/07/2021 17:24, Josh Good wrote:
On 2021 Jul 29, 10:01, Viktor Dukhovni wrote:
On 29 Jul 2021, at 8:17 am, raf <post...@raf.org> wrote:
The Rhenus email did say:
"...must be sent with the TLS 1.2 protocol or higher.
Any mail received without fulfilling this condition
will be rejected by our server."
That second sentence sounds to me like a definite
statement that an SMTP connection that doesn't initiate
STARTTLS will not be able to send email. At least, I
can't see how else to interpret those words.
The simplest thing they could do is just disable TLS 1.0.
This would also comply with some brain in neutral audit.
My money is on brain in neutral, as opposed to a carefully
considered risk assessment in which they've concluded that
they only receive legitimate email from TLS-1.2-capable
senders.
Well, there is also the third option, the kamikaze approach: we're
disabling TLS 1.0, and while we are at it we will also disable this
"backdoor" we just found of "plain text" connections to our world-facing
SMTP servers... Risk assessments?, what are those? This is security!
Some commercial vulnerability scan services (e.g. by Qualys,
SecurityMetrics) which are required by payment providers regard
TLSv1/TLSv1.1 as absolute fails for PCI DSS compliance and organisations
that must meet PCI DSS (https://www.pcisecuritystandards.org/) have no
choice but to respect this. The same services do not treat port 25 open
for plain text as a fail.
