Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products
Bill, Thanks for bringing up all those points. While perhaps the practical implications of the TLS1.0's brokenness may not be as applicable to email, it doesn't mean ESPs should automatically be satisfied with the status quo. If most vendors have found a way to implement TLS 1.1 and 1.2 then it's not unreasonable to expect an industry giant such as Apple to participate. Based on our own experience and what I've read so far, it appears that if Apple stepped in line the percentage of clients that can't support TLS 1.0 with fallback to clear text would be very small. When we turned TLS 1.0 off on our webmail server we got a few calls from customers, but our helpdesk was not ashamed to encourage our customers to try another browser and/or upgrade their OS to address the issue. As I may have mentioned earlier, it didn't hurt that a regional bank did the same with their online banking page ... come to think of it, we may have had more calls from customers about the bank's web page than our webmail. Frank -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Bill Cole Sent: Saturday, June 25, 2016 3:38 PM To: mailop@mailop.org Subject: Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products On 24 Jun 2016, at 23:24, frnk...@iname.com wrote: > I want to disable it for the reasons that Eric spelled out. TLS 1.0 is > broken, so if we turn it off on websites, shouldn't we turn it off for > all protocols? Can you explain how exactly TLS 1.0 is broken in ways that are relevant for email? What is the attack model where a TLS 1.0 weakness is relevant to any facet of email other than end-user HTTPS-based access? Can you see how one might protect against such attacks short of disabling TLS 1.0? As for the relevance of this to PCI-DSS compliance: There are many people making money from selling a weak and oversimplified understanding of that standard to others who think it is beyond their capacity to understand and so never bother trying to read it. If a PCI "expert" claims you must disable TLS 1.0 for SMTP to be compliant, make him give you a specific citation. Read that whole section with all the fine print before firing him. (HINT: Appendix 2 is the critical part, where the phrase "Risk Mitigation and Migration Plan" is used heavily) > Not that we promise our customers end-to-end encryption for all their > e-mail messages and handling, Good call. No one passing mail too and from the Internet at large can keep such a promise and provide mail service customers will actually pay for and rely on. > but I'd like to take advantage of the standards that are already out > there for web browsing. Mail is different. Really. You can allow for people running the latest software to use the latest protocols without requiring that everyone do so. All the relevant RFCs say SMTP falls back to cleartext if negotiating encryption fails. IMAP and SMTP authentication standards offer mechanisms that are safe over unencrypted transport, and many clients will fall back to using those *silently* if they can't make TLS work. Require encryption, and you eliminate interoperability with many SMTP servers. Limit encryption to the latest and greatest protocols but still allow cleartext fallback, and you get back some of those cleartext-only senders but lose senders who won't ever try cleartext and can't do better than TLS 1.0. I won't even try to explain the morass of limiting ciphersuites: the corner cases there are too complex. If you want an exhaustive explanation for why NOT to make a mail server overly restrictive (and how far is reasonable to go) go hunting for Viktor Dukhovni's many discussions of the issue on the Postfix mailing lists. > And I think we could, if it weren't for Apple's mail products. That is probably false. It's certainly false for MOST mail systems. There's a lot of old software in widespread use. Do you want mail servers on EL6-family distributions to fall back to cleartext when talking to you? People still clinging to Windows 7? How about people with service-subsidized Android 4 phones whose contracts aren't done? What is your view on interop with FreeBSD 9? How about people behind an idiotically configured (i.e. default configured) Cisco ASA or PIX firewall? There's a LOT of software out there linked to OpenSSL 0.9.8 and a bit less to 1.0.0, both of which had their final patch releases in 12/2015 and support nothong newer than TLS 1.0. Note that anyone running on those final versions with default build options and prudent configurations should be safe from known TLS 1.0 vulnerabilities. The precise wording of PCI-DSS 3.2 arguably would exempt those releases, since their TLS 1.0 implementations differ in important ways from "early TLS" (a squishy phrase PCI-DSS seems fond of...) There are sound reasons for nominally closed and controlled environments to
Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products
Frank, Here’s the strange part, I get conflicting responses depending on protocol, and server. Running OSX 10.11.5 333885 67.190981000XXX.XXX.XXX.100 192.168.15.100 TLSv1.2 259 Server Hello, Change Cipher Spec, Encrypted Handshake Message That’s to my Exchange server using EWS. 258785 47.527004000XXX.XXX.XXX.102 192.168.15.100 TLSv1 125 Change Cipher Spec, Encrypted Handshake Message This is a DoveCot Server, IMAP4S 127064 20.228638000XXX.XXX.XXX.9 192.168.15.100 TLSv1 211 Server Hello, Change Cipher Spec, Encrypted Handshake Message This is a SmarterMail server, also IMAP4S 21150 16.384388000192.168.15.100 XXX.XXX.XXX.9 TLSv1.2 167 Encrypted Handshake Message Same Server, but EWS. So my guess is that this is really just effecting standard mail protocols, but not SOAP calls. I’ve been meaning to test out SOGo, but haven’t had the chance, so OpenChange may work the same, but I’m not sure. I agree with Bill that it’s effecting many older clients as well, but I disagree that RC4/TLS1 is less immune to MITM just because you are using a SMTP/IMAP/POP transport. Most client systems won’t fallback to non encryption they will just error out, only servers will. Good news is at least the POODLE attack on TLS1 was restricted to F5 load balancers, at least I think: https://en.wikipedia.org/wiki/POODLE#POODLE_attack_against_TLS > On Jun 24, 2016, at 11:24 PM, frnk...@iname.com wrote: > > I want to disable it for the reasons that Eric spelled out. TLS 1.0 is > broken, so if we turn it off on websites, shouldn't we turn it off for all > protocols? Not that we promise our customers end-to-end encryption for all > their e-mail messages and handling, but I'd like to take advantage of the > standards that are already out there for web browsing. > > And I think we could, if it weren't for Apple's mail products. > > Frank > > -Original Message- > From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Seth Mattinen > Sent: Friday, June 24, 2016 6:28 PM > To: mailop@mailop.org > Subject: Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products > > On 6/24/16 10:31 AM, Frank Bulk wrote: >> Due to PCI requirements to disable TLS 1.0, and recognizing an overall >> push towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our >> email servers. That generally worked out fine for webmail, but Apple >> users couldn’t use SMTP, POP3, or IMAP, resulting in a lot of helpdesk >> calls. We ended turning TLS 1.0 back on. >> > > Unless you're sending card numbers or track data by email why would you > need to disable TLSv1.0 on a mail server for PCI? > > ~Seth > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products
SSL3 was a small fraction of our traffic, tls1.0 is not a small fraction. Could be because of this Apple issue, but it's also true for server to server traffic. I haven't investigated what doesn't support better yet, perhaps our tls team has. Note our post says supporting tls1.2 is necessary to survive to 2020, which is still a ways a way. It's also a vendor compliance requirement. Brandon On Jun 24, 2016 10:38 AM, "Frank Bulk"wrote: > > https://googleappsupdates.blogspot.com/2016/06/gradually-disabling-support-for-sslv3.html > > > https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/ > > > > Due to PCI requirements to disable TLS 1.0, and recognizing an overall > push towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our > email servers. That generally worked out fine for webmail, but Apple users > couldn’t use SMTP, POP3, or IMAP, resulting in a lot of helpdesk calls. We > ended turning TLS 1.0 back on. > > > > We learned that apparently Apple mail products currently have no support > for TLS 1.1 or TLS 1.2. > > https://discussions.apple.com/message/29755546#29755546 > > https://discussions.apple.com/message/28336623#message28336623 > > > > Anyone else have insight into Apple’s plans? How do we nudge them? > > Brandon, is this a reason that Google has not deprecated TLS 1.0 as well? > > > > Frank > > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Lack of TLS 1.1/1.2 support on Apple email products
https://googleappsupdates.blogspot.com/2016/06/gradually-disabling-support-f or-sslv3.html https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compli ance/ Due to PCI requirements to disable TLS 1.0, and recognizing an overall push towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our email servers. That generally worked out fine for webmail, but Apple users couldn't use SMTP, POP3, or IMAP, resulting in a lot of helpdesk calls. We ended turning TLS 1.0 back on. We learned that apparently Apple mail products currently have no support for TLS 1.1 or TLS 1.2. https://discussions.apple.com/message/29755546#29755546 https://discussions.apple.com/message/28336623#message28336623 Anyone else have insight into Apple's plans? How do we nudge them? Brandon, is this a reason that Google has not deprecated TLS 1.0 as well? Frank ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop