Re: [mailop] deprecating rc4 & ssl3
We removed support for EDH ciphers a while back, so I don't think we worry about DH key lengths. I don't think they are supported by BoringSSL, which all Google products should be using now. At least, that's my basic understanding, most of this is handled by our tls team, so I don't have to think about it. And we never fall back to plain text, haven't in years. Brandon On Mon, May 16, 2016 at 4:57 PM, Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Mon, 2016-05-16 at 16:07 -0700, Brandon Long via mailop wrote: > > > The numbers are small enough that we're not doing any mitigation, > > there is no fall back on ssl negotiation failure, there is no > > whitelist of hosts we will allow these protocols from. > > Thank you! It makes it much easier for us to do the same - when folks > complain we can say - well, you cannot deliver mail to google either - > fix your system. > > On a related topic, are you doing any fallback to plain text on DH key > length? What is the minimum DH key length you require for mail? Our > systems currently require 1024 bit keys, but will fallback to plain text > after 8 hours. The delay encourages folks to upgrade their DH keys, but > I have not seen such a fallback in the last few weeks. > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlc6XlIACgkQL6j7milTFsGjdgCfZIBj+9bu6aLW/NgVkeY2ZaPI > u5EAoIInmgeHAU7KXNgGqFF/AnPFA3CR > =U6Ad > -END PGP SIGNATURE- > > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] deprecating rc4 & ssl3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 2016-05-16 at 16:07 -0700, Brandon Long via mailop wrote: > The numbers are small enough that we're not doing any mitigation, > there is no fall back on ssl negotiation failure, there is no > whitelist of hosts we will allow these protocols from. Thank you! It makes it much easier for us to do the same - when folks complain we can say - well, you cannot deliver mail to google either - fix your system. On a related topic, are you doing any fallback to plain text on DH key length? What is the minimum DH key length you require for mail? Our systems currently require 1024 bit keys, but will fallback to plain text after 8 hours. The delay encourages folks to upgrade their DH keys, but I have not seen such a fallback in the last few weeks. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlc6XlIACgkQL6j7milTFsGjdgCfZIBj+9bu6aLW/NgVkeY2ZaPI u5EAoIInmgeHAU7KXNgGqFF/AnPFA3CR =U6Ad -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] deprecating rc4 & ssl3
As an FYI, this seems unlikely to affect most of you as the number of services we see using these is pretty small: http://googleappsupdates.blogspot.com/2016/05/disabling-support-for-sslv3-and-rc4-for.html So, in 30 days, we're going to start shutting these off, both for inbound and outbound. The numbers are small enough that we're not doing any mitigation, there is no fall back on ssl negotiation failure, there is no whitelist of hosts we will allow these protocols from. Work around for folks who can't get their server to support these protocols is to disable advertising STARTTLS to us (or calling it on inbound). Main product we've seen that are likely to have issues are some older versions of Lotus Notes. Other people on this list probably have a better idea of what products will have issues. It's harder for those with broken mail clients using smtp-msa, there is no fall back to unencrypted for those clients, they will be unable to send mail via msa when these protocols are disabled. IMAP & POP will be disabled on the same time schedule, so most likely they won't be able to read email either. Brandon ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Comcast xfinity email delay issue
FYI: http://www.product-reviews.net/2016/05/16/comcast-xfinity-email-down-delay-o utage/ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop