Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-24 Thread frnkblk
I want to disable it for the reasons that Eric spelled out. TLS 1.0 is broken, so if we turn it off on websites, shouldn't we turn it off for all protocols? Not that we promise our customers end-to-end encryption for all their e-mail messages and handling, but I'd like to take advantage of the

Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-24 Thread Eric Tykwinski
I’ll agree, anyone sending anything like PII or financials should probably use S/MIME or PGP on top as well. Nothing hurts though disabling TLS1 since there was some vulnerabilities with Poodle, disabling RC4, et al whatever the new attack of the day is. The problem is usually the client side, li

Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-24 Thread Seth Mattinen
On 6/24/16 10:31 AM, Frank Bulk wrote: Due to PCI requirements to disable TLS 1.0, and recognizing an overall push towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our email servers. That generally worked out fine for webmail, but Apple users couldn’t use SMTP, POP3, or IMAP, resu

Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-24 Thread Brandon Long via mailop
SSL3 was a small fraction of our traffic, tls1.0 is not a small fraction. Could be because of this Apple issue, but it's also true for server to server traffic. I haven't investigated what doesn't support better yet, perhaps our tls team has. Note our post says supporting tls1.2 is necessary to s

[mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-24 Thread Frank Bulk
https://googleappsupdates.blogspot.com/2016/06/gradually-disabling-support-f or-sslv3.html https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compli ance/ Due to PCI requirements to disable TLS 1.0, and recognizing an overall push towards to TLS 1.1 and TLS 1.2, we tried tur

Re: [mailop] DMARC question

2016-06-24 Thread Lena
> I'm curious if someone can explain why a few sites > have a "local_policy" that overrides our DMARC settings. Perhaps because DMARC breaks discussion mailing lists like this one. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cg

Re: [mailop] DMARC question

2016-06-24 Thread Rolf E. Sonneveld
Hi, Terry, On 24-06-16 09:14, Terry Barnum wrote: I've been checking our newly configured DMARC status on the (excellent) dmarcian.com site. We're being joe jobbed every 2 weeks so I'm hoping DMARC severely cuts into that spammer's delivery success. I still hate getting a