Frank,
Here’s the strange part, I get conflicting responses depending on protocol, and
server.
Running OSX 10.11.5
333885 67.190981000XXX.XXX.XXX.100 192.168.15.100 TLSv1.2 259 Server
Hello, Change Cipher Spec, Encrypted Handshake Message
That’s to my Exchange server using EWS.
258785 47.527004000XXX.XXX.XXX.102 192.168.15.100 TLSv1 125 Change
Cipher Spec, Encrypted Handshake Message
This is a DoveCot Server, IMAP4S
127064 20.228638000XXX.XXX.XXX.9 192.168.15.100 TLSv1 211 Server
Hello, Change Cipher Spec, Encrypted Handshake Message
This is a SmarterMail server, also IMAP4S
21150 16.384388000192.168.15.100 XXX.XXX.XXX.9 TLSv1.2 167
Encrypted Handshake Message
Same Server, but EWS.
So my guess is that this is really just effecting standard mail protocols, but
not SOAP calls.
I’ve been meaning to test out SOGo, but haven’t had the chance, so OpenChange
may work the same, but I’m not sure.
I agree with Bill that it’s effecting many older clients as well, but I
disagree that RC4/TLS1 is less immune to MITM just because you are using a
SMTP/IMAP/POP transport. Most client systems won’t fallback to non encryption
they will just error out, only servers will.
Good news is at least the POODLE attack on TLS1 was restricted to F5 load
balancers, at least I think:
https://en.wikipedia.org/wiki/POODLE#POODLE_attack_against_TLS
> On Jun 24, 2016, at 11:24 PM, frnk...@iname.com wrote:
>
> I want to disable it for the reasons that Eric spelled out. TLS 1.0 is
> broken, so if we turn it off on websites, shouldn't we turn it off for all
> protocols? Not that we promise our customers end-to-end encryption for all
> their e-mail messages and handling, but I'd like to take advantage of the
> standards that are already out there for web browsing.
>
> And I think we could, if it weren't for Apple's mail products.
>
> Frank
>
> -Original Message-
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Seth Mattinen
> Sent: Friday, June 24, 2016 6:28 PM
> To: mailop@mailop.org
> Subject: Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products
>
> On 6/24/16 10:31 AM, Frank Bulk wrote:
>> Due to PCI requirements to disable TLS 1.0, and recognizing an overall
>> push towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our
>> email servers. That generally worked out fine for webmail, but Apple
>> users couldn’t use SMTP, POP3, or IMAP, resulting in a lot of helpdesk
>> calls. We ended turning TLS 1.0 back on.
>>
>
> Unless you're sending card numbers or track data by email why would you
> need to disable TLSv1.0 on a mail server for PCI?
>
> ~Seth
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop