Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-08-13 Thread frnkblk 
Bill,

Thanks for bringing up all those points.  While perhaps the practical 
implications of the TLS1.0's brokenness may not be as applicable to email, it 
doesn't mean ESPs should automatically be satisfied with the status quo.  If 
most vendors have found a way to implement TLS 1.1 and 1.2 then it's not 
unreasonable to expect an industry giant such as Apple to participate.

Based on our own experience and what I've read so far, it appears that if Apple 
stepped in line the percentage of clients that can't support TLS 1.0 with 
fallback to clear text would be very small.  When we turned TLS 1.0 off on our 
webmail server we got a few calls from customers, but our helpdesk was not 
ashamed to encourage our customers to try another browser and/or upgrade their 
OS to address the issue.  As I may have mentioned earlier, it didn't hurt that 
a regional bank did the same with their online banking page ... come to think 
of it, we may have had more calls from customers about the bank's web page than 
our webmail.

Frank

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Bill Cole
Sent: Saturday, June 25, 2016 3:38 PM
To: mailop@mailop.org
Subject: Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

On 24 Jun 2016, at 23:24, frnk...@iname.com wrote:

> I want to disable it for the reasons that Eric spelled out. TLS 1.0 is 
> broken, so if we turn it off on websites, shouldn't we turn it off for 
> all protocols?

Can you explain how exactly TLS 1.0 is broken in ways that are relevant 
for email? What is the attack model where a TLS 1.0 weakness is relevant 
to any facet of email other than end-user HTTPS-based access? Can you 
see how one might protect against such attacks short of disabling TLS 
1.0?

As for the relevance of this to PCI-DSS compliance: There are many 
people making money from selling a weak and oversimplified understanding 
of that standard to others who think it is beyond their capacity to 
understand and so never bother trying to read it. If a PCI "expert" 
claims you must disable TLS 1.0 for SMTP to be compliant, make him give 
you a specific citation. Read that whole section with all the fine print 
before firing him. (HINT: Appendix 2 is the critical part, where the 
phrase "Risk Mitigation and Migration Plan" is used heavily)

> Not that we promise our customers end-to-end encryption for all their 
> e-mail messages and handling,

Good call. No one passing mail too and from the Internet at large can 
keep such a promise and provide mail service customers will actually pay 
for and rely on.

> but I'd like to take advantage of the standards that are already out 
> there for web browsing.

Mail is different. Really. You can allow for people running the latest 
software to use the latest protocols without requiring that everyone do 
so. All the relevant RFCs say SMTP falls back to cleartext if 
negotiating encryption fails. IMAP and SMTP authentication standards 
offer mechanisms that are safe over unencrypted transport, and many 
clients will fall back to using those *silently* if they can't make TLS 
work. Require encryption, and you eliminate interoperability with many 
SMTP servers. Limit encryption to the latest and greatest protocols but 
still allow cleartext fallback, and you get back some of those 
cleartext-only senders but lose senders who won't ever try cleartext and 
can't do better than TLS 1.0. I won't even try to explain the morass of 
limiting ciphersuites: the corner cases there are too complex. If you 
want an exhaustive explanation for why NOT to make a mail server overly 
restrictive  (and how far is reasonable to go) go hunting for Viktor 
Dukhovni's many discussions of the issue on the Postfix mailing lists.

> And I think we could, if it weren't for Apple's mail products.

That is probably false. It's certainly false for MOST mail systems. 
There's a lot of old software in widespread use. Do you want mail 
servers on EL6-family distributions to fall back to cleartext when 
talking to you? People still clinging to Windows 7? How about people 
with service-subsidized Android 4 phones whose contracts aren't done? 
What is your view on interop with FreeBSD 9? How about people behind an 
idiotically configured (i.e. default configured) Cisco ASA or PIX 
firewall? There's a LOT of software out there linked to OpenSSL 0.9.8 
and a bit less to 1.0.0, both of which had their final patch releases in 
12/2015 and support nothong newer than TLS 1.0. Note that anyone running 
on those final versions with default build options and prudent 
configurations should be safe from known TLS 1.0 vulnerabilities. The 
precise wording of PCI-DSS 3.2 arguably would exempt those releases, 
since their TLS 1.0 implementations differ in important ways from "early 
TLS" (a squishy phrase PCI-DSS seems fond of...)

There are sound reasons for nominally closed and controlled environments 
to

Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-25 Thread Eric Tykwinski 
Frank,

Here’s the strange part, I get conflicting responses depending on protocol, and 
server.
Running OSX 10.11.5 

333885  67.190981000XXX.XXX.XXX.100 192.168.15.100  TLSv1.2 259 Server 
Hello, Change Cipher Spec, Encrypted Handshake Message
That’s to my Exchange server using EWS.

258785  47.527004000XXX.XXX.XXX.102 192.168.15.100  TLSv1   125 Change 
Cipher Spec, Encrypted Handshake Message
This is a DoveCot Server, IMAP4S

127064  20.228638000XXX.XXX.XXX.9   192.168.15.100  TLSv1   211 Server 
Hello, Change Cipher Spec, Encrypted Handshake Message
This is a SmarterMail server, also IMAP4S

21150   16.384388000192.168.15.100  XXX.XXX.XXX.9   TLSv1.2 167 
Encrypted Handshake Message
Same Server, but EWS.

So my guess is that this is really just effecting standard mail protocols, but 
not SOAP calls.
I’ve been meaning to test out SOGo, but haven’t had the chance, so OpenChange 
may work the same, but I’m not sure.

I agree with Bill that it’s effecting many older clients as well, but I 
disagree that RC4/TLS1 is less immune to MITM just because you are using a 
SMTP/IMAP/POP transport.  Most client systems won’t fallback to non encryption 
they will just error out, only servers will.  

Good news is at least the POODLE attack on TLS1 was restricted to F5 load 
balancers, at least I think:
https://en.wikipedia.org/wiki/POODLE#POODLE_attack_against_TLS

> On Jun 24, 2016, at 11:24 PM, frnk...@iname.com wrote:
> 
> I want to disable it for the reasons that Eric spelled out. TLS 1.0 is 
> broken, so if we turn it off on websites, shouldn't we turn it off for all 
> protocols?  Not that we promise our customers end-to-end encryption for all 
> their e-mail messages and handling, but I'd like to take advantage of the 
> standards that are already out there for web browsing.
> 
> And I think we could, if it weren't for Apple's mail products.
> 
> Frank
> 
> -Original Message-
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Seth Mattinen
> Sent: Friday, June 24, 2016 6:28 PM
> To: mailop@mailop.org
> Subject: Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products
> 
> On 6/24/16 10:31 AM, Frank Bulk wrote:
>> Due to PCI requirements to disable TLS 1.0, and recognizing an overall
>> push towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our
>> email servers.  That generally worked out fine for webmail, but Apple
>> users couldn’t use SMTP, POP3, or IMAP, resulting in a lot of helpdesk
>> calls.  We ended turning TLS 1.0 back on.
>> 
> 
> Unless you're sending card numbers or track data by email why would you 
> need to disable TLSv1.0 on a mail server for PCI?
> 
> ~Seth
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-24 Thread Brandon Long via mailop 
SSL3 was a small fraction of our traffic, tls1.0 is not a small fraction.
Could be because of this Apple issue, but it's also true for server to
server traffic.

I haven't investigated what doesn't support better yet, perhaps our tls
team has.

Note our post says supporting tls1.2 is necessary to survive to 2020, which
is still a ways a way.  It's also a vendor compliance requirement.

Brandon

On Jun 24, 2016 10:38 AM, "Frank Bulk"  wrote:

>
> https://googleappsupdates.blogspot.com/2016/06/gradually-disabling-support-for-sslv3.html
>
>
> https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/
>
>
>
> Due to PCI requirements to disable TLS 1.0, and recognizing an overall
> push towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our
> email servers.  That generally worked out fine for webmail, but Apple users
> couldn’t use SMTP, POP3, or IMAP, resulting in a lot of helpdesk calls.  We
> ended turning TLS 1.0 back on.
>
>
>
> We learned that apparently Apple mail products currently have no support
> for TLS 1.1 or TLS 1.2.
>
> https://discussions.apple.com/message/29755546#29755546
>
> https://discussions.apple.com/message/28336623#message28336623
>
>
>
> Anyone else have insight into Apple’s plans?  How do we nudge them?
>
> Brandon, is this a reason that Google has not deprecated TLS 1.0 as well?
>
>
>
> Frank
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-24 Thread Frank Bulk 
https://googleappsupdates.blogspot.com/2016/06/gradually-disabling-support-f
or-sslv3.html

https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compli
ance/

 

Due to PCI requirements to disable TLS 1.0, and recognizing an overall push
towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our email
servers.  That generally worked out fine for webmail, but Apple users
couldn't use SMTP, POP3, or IMAP, resulting in a lot of helpdesk calls.  We
ended turning TLS 1.0 back on.

 

We learned that apparently Apple mail products currently have no support for
TLS 1.1 or TLS 1.2.

https://discussions.apple.com/message/29755546#29755546

https://discussions.apple.com/message/28336623#message28336623

 

Anyone else have insight into Apple's plans?  How do we nudge them?

Brandon, is this a reason that Google has not deprecated TLS 1.0 as well?

 

Frank

 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop