Re: [mailop] deprecating rc4 & ssl3
All of our mx hostnames are in the SAN for the cert, so any mx hostname should be fine. There is no change to that with this change. Brandon On May 17, 2016 8:53 AM, "Jeremy Harris" wrote: > On 17/05/16 00:07, Brandon Long via mailop wrote: > > As an FYI, this seems unlikely to affect most of you as the number of > > services we see using these is pretty small: > > > > > http://googleappsupdates.blogspot.com/2016/05/disabling-support-for-sslv3-and-rc4-for.html > > Specifically for SMTP, what SNI content will you be requiring? > > -- > Thanks, > Jeremy > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] deprecating rc4 & ssl3
On 17/05/16 00:07, Brandon Long via mailop wrote: > As an FYI, this seems unlikely to affect most of you as the number of > services we see using these is pretty small: > > http://googleappsupdates.blogspot.com/2016/05/disabling-support-for-sslv3-and-rc4-for.html Specifically for SMTP, what SNI content will you be requiring? -- Thanks, Jeremy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] deprecating rc4 & ssl3
On 18/05/16 00:27, Al Iverson wrote: > Hey Brandon, can you explain regarding IMAP & POP being disabled? My > employer does a ton of automated email processing using Google apps > and Gmail accounts, using IMAP and POP (with SSL). Are IMAP and POP3 > being retired permanently? I suspect the IMAP and POP3 protocols are not being retired outright, but only the ability to connect to them using RC4 and SSL3 encrypted connections. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] deprecating rc4 & ssl3
Sorry, I meant that ssl3 and rc4 will be disabled for imap and pop around the same time as it is for smtp. We have no plans to turn down those services. And to answer another question off list, yes, rc4 will be disabled for all tls versions as well, this is both being disabled separately. Brandon On May 17, 2016 7:37 AM, "Al Iverson" wrote: > On Tue, May 17, 2016 at 9:27 AM, Al Iverson > wrote: > > On Mon, May 16, 2016 at 6:07 PM, Brandon Long via mailop > > wrote: > >> > >> It's harder for those with broken mail clients using smtp-msa, there is > no > >> fall back to unencrypted for those clients, they will be unable to send > mail > >> via msa when these protocols are disabled. IMAP & POP will be disabled > on > >> the same time schedule, so most likely they won't be able to read email > >> either. > > > > Hey Brandon, can you explain regarding IMAP & POP being disabled? My > > employer does a ton of automated email processing using Google apps > > and Gmail accounts, using IMAP and POP (with SSL). Are IMAP and POP3 > > being retired permanently? > > Here's a very small example of that: http://xnnd.com/authentication/ > > In this example, mail is sent to a Google apps account, and script > uses Fetchmail with IMAP or POP3 to download messages, parse info > about auth/encryption from Google headers, logs info, presents info to > user. > > That's a very small public version of something we do in a much bigger > way non-publicly. I suspect other email service providers do as well. > (Just to monitor things like auth status, content checks, TLS, etc., > not to play silly buggers with spam filters.) > > Cheers, > Al Iverson > > > -- > > Al Iverson > > www.aliverson.com > > (312)725-0130 > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] deprecating rc4 & ssl3
On Tue, May 17, 2016 at 9:27 AM, Al Iverson wrote: > On Mon, May 16, 2016 at 6:07 PM, Brandon Long via mailop > wrote: >> >> It's harder for those with broken mail clients using smtp-msa, there is no >> fall back to unencrypted for those clients, they will be unable to send mail >> via msa when these protocols are disabled. IMAP & POP will be disabled on >> the same time schedule, so most likely they won't be able to read email >> either. > > Hey Brandon, can you explain regarding IMAP & POP being disabled? My > employer does a ton of automated email processing using Google apps > and Gmail accounts, using IMAP and POP (with SSL). Are IMAP and POP3 > being retired permanently? Here's a very small example of that: http://xnnd.com/authentication/ In this example, mail is sent to a Google apps account, and script uses Fetchmail with IMAP or POP3 to download messages, parse info about auth/encryption from Google headers, logs info, presents info to user. That's a very small public version of something we do in a much bigger way non-publicly. I suspect other email service providers do as well. (Just to monitor things like auth status, content checks, TLS, etc., not to play silly buggers with spam filters.) Cheers, Al Iverson > -- > Al Iverson > www.aliverson.com > (312)725-0130 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] deprecating rc4 & ssl3
On Mon, May 16, 2016 at 6:07 PM, Brandon Long via mailop wrote: > > It's harder for those with broken mail clients using smtp-msa, there is no > fall back to unencrypted for those clients, they will be unable to send mail > via msa when these protocols are disabled. IMAP & POP will be disabled on > the same time schedule, so most likely they won't be able to read email > either. Hey Brandon, can you explain regarding IMAP & POP being disabled? My employer does a ton of automated email processing using Google apps and Gmail accounts, using IMAP and POP (with SSL). Are IMAP and POP3 being retired permanently? Thanks, Al Iverson -- Al Iverson www.aliverson.com (312)725-0130 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] deprecating rc4 & ssl3
We removed support for EDH ciphers a while back, so I don't think we worry about DH key lengths. I don't think they are supported by BoringSSL, which all Google products should be using now. At least, that's my basic understanding, most of this is handled by our tls team, so I don't have to think about it. And we never fall back to plain text, haven't in years. Brandon On Mon, May 16, 2016 at 4:57 PM, Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Mon, 2016-05-16 at 16:07 -0700, Brandon Long via mailop wrote: > > > The numbers are small enough that we're not doing any mitigation, > > there is no fall back on ssl negotiation failure, there is no > > whitelist of hosts we will allow these protocols from. > > Thank you! It makes it much easier for us to do the same - when folks > complain we can say - well, you cannot deliver mail to google either - > fix your system. > > On a related topic, are you doing any fallback to plain text on DH key > length? What is the minimum DH key length you require for mail? Our > systems currently require 1024 bit keys, but will fallback to plain text > after 8 hours. The delay encourages folks to upgrade their DH keys, but > I have not seen such a fallback in the last few weeks. > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlc6XlIACgkQL6j7milTFsGjdgCfZIBj+9bu6aLW/NgVkeY2ZaPI > u5EAoIInmgeHAU7KXNgGqFF/AnPFA3CR > =U6Ad > -END PGP SIGNATURE- > > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] deprecating rc4 & ssl3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 2016-05-16 at 16:07 -0700, Brandon Long via mailop wrote: > The numbers are small enough that we're not doing any mitigation, > there is no fall back on ssl negotiation failure, there is no > whitelist of hosts we will allow these protocols from. Thank you! It makes it much easier for us to do the same - when folks complain we can say - well, you cannot deliver mail to google either - fix your system. On a related topic, are you doing any fallback to plain text on DH key length? What is the minimum DH key length you require for mail? Our systems currently require 1024 bit keys, but will fallback to plain text after 8 hours. The delay encourages folks to upgrade their DH keys, but I have not seen such a fallback in the last few weeks. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlc6XlIACgkQL6j7milTFsGjdgCfZIBj+9bu6aLW/NgVkeY2ZaPI u5EAoIInmgeHAU7KXNgGqFF/AnPFA3CR =U6Ad -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] deprecating rc4 & ssl3
As an FYI, this seems unlikely to affect most of you as the number of services we see using these is pretty small: http://googleappsupdates.blogspot.com/2016/05/disabling-support-for-sslv3-and-rc4-for.html So, in 30 days, we're going to start shutting these off, both for inbound and outbound. The numbers are small enough that we're not doing any mitigation, there is no fall back on ssl negotiation failure, there is no whitelist of hosts we will allow these protocols from. Work around for folks who can't get their server to support these protocols is to disable advertising STARTTLS to us (or calling it on inbound). Main product we've seen that are likely to have issues are some older versions of Lotus Notes. Other people on this list probably have a better idea of what products will have issues. It's harder for those with broken mail clients using smtp-msa, there is no fall back to unencrypted for those clients, they will be unable to send mail via msa when these protocols are disabled. IMAP & POP will be disabled on the same time schedule, so most likely they won't be able to read email either. Brandon ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop