Re: [mailop] [EXTERNAL] Re: Disabling TLS1.0 for SMTP
Worth collecting some data on, we collect metrics on ingress for ciphers used and key sizes but not on tls verion, I'll add that to what we collect. - Original message - From: Vittorio Bertola To: "Brotman, Alexander" , Rohan Sheth , mailop@mailop.orgSubject: Re: [mailop] [EXTERNAL] Re: Disabling TLS1.0 for SMTP Date: Thu, 24 May 2018 11:17:28 +0200 (CEST) > Il 22 maggio 2018 alle 17.41 "Brotman, Alexander" > ha scritto:> > > If someone is interested, we could potentially ask Binu if he has > newer data available. He had done a presentation on the same data at > M3AAWG a few years ago. It would be great to get new data from big players, and to share information in general. For the TES project ( https://tesmail.org/ ) one year ago we ran a scan of the top 1000 domains by web traffic, to see which degree of transport security they offered. Among those who actually had working email servers, we found 58% TLS 1.2, 14% TLS 1.1, 7% TLS 1.0, and 21% no TLS. Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bert...@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy _ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Marc Bradshaw - Deliverability/Abuse at FastMail m...@fastmailteam.com | @marcbradshaw[1] Links: 1. https://twitter.com/marcbradshaw ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] [EXTERNAL] Re: Disabling TLS1.0 for SMTP
> Il 22 maggio 2018 alle 17.41 "Brotman, Alexander" > ha scritto: > > > If someone is interested, we could potentially ask Binu if he has newer data > available. He had done a presentation on the same data at M3AAWG a few years > ago. It would be great to get new data from big players, and to share information in general. For the TES project ( https://tesmail.org/ ) one year ago we ran a scan of the top 1000 domains by web traffic, to see which degree of transport security they offered. Among those who actually had working email servers, we found 58% TLS 1.2, 14% TLS 1.1, 7% TLS 1.0, and 21% no TLS. Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bert...@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] [EXTERNAL] Re: Disabling TLS1.0 for SMTP
If someone is interested, we could potentially ask Binu if he has newer data available. He had done a presentation on the same data at M3AAWG a few years ago. -- Alex Brotman Sr. Engineer, Anti-Abuse Comcast -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Rohan Sheth Sent: Tuesday, May 22, 2018 11:06 AM To: mailop@mailop.org Subject: [EXTERNAL] Re: [mailop] Disabling TLS1.0 for SMTP On Tue, May 22, 2018, at 7:47 AM, Al Iverson wrote: > Are folks disabling TLS1.0 support in SMTP? Our security team has > asked, but I'm a bit concerned about potential failure cases when > trying to deliver mail to smaller corporate sites that might be doing > stuff like requiring TLS but supporting 1.0 onlyis that really > much of a concern? Admittedly a few years old (March 2016) but Yahoo shared some data about TLS versions they see: https://yahoo-security.tumblr.com/post/141495385400/measuring-smtp-starttls-deployment-quality Scrolling down to the TLS Session section, it seems at the time they still saw a large volume of TLS 1.0. I would guess that it hasn't changed enough that it is OK to blanket disable TLS 1.0 today. -Rohan ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
