Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-24 Thread Brandon Long via mailop 
SSL3 was a small fraction of our traffic, tls1.0 is not a small fraction.
Could be because of this Apple issue, but it's also true for server to
server traffic.

I haven't investigated what doesn't support better yet, perhaps our tls
team has.

Note our post says supporting tls1.2 is necessary to survive to 2020, which
is still a ways a way.  It's also a vendor compliance requirement.

Brandon

On Jun 24, 2016 10:38 AM, "Frank Bulk"  wrote:

>
> https://googleappsupdates.blogspot.com/2016/06/gradually-disabling-support-for-sslv3.html
>
>
> https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/
>
>
>
> Due to PCI requirements to disable TLS 1.0, and recognizing an overall
> push towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our
> email servers.  That generally worked out fine for webmail, but Apple users
> couldn’t use SMTP, POP3, or IMAP, resulting in a lot of helpdesk calls.  We
> ended turning TLS 1.0 back on.
>
>
>
> We learned that apparently Apple mail products currently have no support
> for TLS 1.1 or TLS 1.2.
>
> https://discussions.apple.com/message/29755546#29755546
>
> https://discussions.apple.com/message/28336623#message28336623
>
>
>
> Anyone else have insight into Apple’s plans?  How do we nudge them?
>
> Brandon, is this a reason that Google has not deprecated TLS 1.0 as well?
>
>
>
> Frank
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-24 Thread Frank Bulk 
https://googleappsupdates.blogspot.com/2016/06/gradually-disabling-support-f
or-sslv3.html

https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compli
ance/

 

Due to PCI requirements to disable TLS 1.0, and recognizing an overall push
towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our email
servers.  That generally worked out fine for webmail, but Apple users
couldn't use SMTP, POP3, or IMAP, resulting in a lot of helpdesk calls.  We
ended turning TLS 1.0 back on.

 

We learned that apparently Apple mail products currently have no support for
TLS 1.1 or TLS 1.2.

https://discussions.apple.com/message/29755546#29755546

https://discussions.apple.com/message/28336623#message28336623

 

Anyone else have insight into Apple's plans?  How do we nudge them?

Brandon, is this a reason that Google has not deprecated TLS 1.0 as well?

 

Frank

 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DMARC question

2016-06-24 Thread Lena 
> I'm curious if someone can explain why a few sites
> have a "local_policy" that overrides our DMARC settings.

Perhaps because DMARC breaks discussion mailing lists
like this one.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DMARC question

2016-06-24 Thread Rolf E. Sonneveld 

Hi, Terry,

On 24-06-16 09:14, Terry Barnum wrote:
I've been checking our newly configured DMARC status on the 
(excellent) dmarcian.com  site. We're being 
joe jobbed every 2 weeks so I'm hoping DMARC severely cuts into that 
spammer's delivery success. I still hate getting all the undeliverable 
bounce notices though.


I'm curious if someone can explain why a few sites have a 
"local_policy" that overrides our DMARC settings. The reporting 
Providers for these are 126.com and 163.com. It's only 8 messages or 
so in the last 4 days so not a huge deal but I'm curious. 


[...]

because DMARC still is only an advise on what to do with mail that 
doesn't pass a DMARC check. At the end of the day, it is still the 
'receiver' that decides what to do with mail that doesn't pass DMARC 
verification (but may still be legitimate, solicited mail). You may want 
to have a look at 
https://datatracker.ietf.org/doc/draft-ietf-dmarc-interoperability/ to 
see why...


/rolf
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop