Re: [mailop] Disabling TLS1.0 for SMTP

2018-05-22 Thread Phil Pennock
On 2018-05-22 at 14:58 -0400, Eric Tykwinski wrote: > MTA-STS will probably hit more on the valid certificate deal, but it's on the > mta-sts record to get the policy. > DANE just says this certificate is good, could be expired, self-signed, et al > as long as it passes the hash. DANE has two

Re: [mailop] New *.outbound.protection.outlook.com servers without PTR

2018-05-22 Thread Michael Wise via mailop
Those responsible have been poked.  Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Got the Junk Mail Reporting Tool ? From: mailop On

Re: [mailop] SNDS report issues?

2018-05-22 Thread Krishna Garewal via mailop
The root cause issue is fixed but data is not backfilled, there’s going to be missing data from 17-19th. From: mailop On Behalf Of Benjamin BILLON Sent: Tuesday, May 22, 2018 9:43 AM To: mailop@mailop.org Subject: Re: [mailop] SNDS report issues? May 17 and 19 not

Re: [mailop] Disabling TLS1.0 for SMTP

2018-05-22 Thread Bill Cole
On 22 May 2018, at 12:24, Andrew C Aitchison wrote: Also, does the MTA check the name in the certificate ? Not generally. I understand that not all do (or didn't until recently) None do so with significant consequences for failure, unless they really want their mail to break on a regular

Re: [mailop] Disabling TLS1.0 for SMTP

2018-05-22 Thread Bill Cole
On 22 May 2018, at 11:12, Steve Atkins wrote: On May 22, 2018, at 7:47 AM, Al Iverson wrote: Are folks disabling TLS1.0 support in SMTP? Our security team has asked, but I'm a bit concerned about potential failure cases when trying to deliver mail to smaller

Re: [mailop] Disabling TLS1.0 for SMTP

2018-05-22 Thread Andrew C Aitchison
On Tue, 22 May 2018, Al Iverson wrote: Are folks disabling TLS1.0 support in SMTP? Our security team has asked, but I'm a bit concerned about potential failure cases when trying to deliver mail to smaller corporate sites that might be doing stuff like requiring TLS but supporting 1.0 onlyis

Re: [mailop] [EXTERNAL] Re: Disabling TLS1.0 for SMTP

2018-05-22 Thread Brotman, Alexander
If someone is interested, we could potentially ask Binu if he has newer data available. He had done a presentation on the same data at M3AAWG a few years ago. -- Alex Brotman Sr. Engineer, Anti-Abuse Comcast -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf

Re: [mailop] Disabling TLS1.0 for SMTP

2018-05-22 Thread Paul Smith
On 22/05/2018 15:47, Al Iverson wrote: Are folks disabling TLS1.0 support in SMTP? Our security team has asked, but I'm a bit concerned about potential failure cases when trying to deliver mail to smaller corporate sites that might be doing stuff like requiring TLS but supporting 1.0 onlyis

Re: [mailop] Disabling TLS1.0 for SMTP

2018-05-22 Thread ml+mailop
On Tue, May 22, 2018, Steve Atkins wrote: > If you're connecting to an MX that only supports TLS 1.0 and you've > configured your smarthost to not support TLS 1.0 for opportunistic > encryption then it's going to fall back to not using any sort of encryption > and sending as plaintext. That

Re: [mailop] Disabling TLS1.0 for SMTP

2018-05-22 Thread Ken O'Driscoll via mailop
On Tue, 2018-05-22 at 10:47 -0400, Al Iverson wrote: > Are folks disabling TLS1.0 support in SMTP? Our security team has > asked, but I'm a bit concerned about potential failure cases when > trying to deliver mail to smaller corporate sites that might be doing > stuff like requiring TLS but

Re: [mailop] Disabling TLS1.0 for SMTP

2018-05-22 Thread Steve Atkins
> On May 22, 2018, at 7:47 AM, Al Iverson wrote: > > Are folks disabling TLS1.0 support in SMTP? Our security team has > asked, but I'm a bit concerned about potential failure cases when > trying to deliver mail to smaller corporate sites that might be doing > stuff

[mailop] Disabling TLS1.0 for SMTP

2018-05-22 Thread Al Iverson
Are folks disabling TLS1.0 support in SMTP? Our security team has asked, but I'm a bit concerned about potential failure cases when trying to deliver mail to smaller corporate sites that might be doing stuff like requiring TLS but supporting 1.0 onlyis that really much of a concern? Cheers,

[mailop] New *.outbound.protection.outlook.com servers without PTR

2018-05-22 Thread Bernhard Schmidt
Hi, recently (about a week ago) *.outbound.protection.outlook.com started sending from three new /24 without valid FCrDNS 40.92.73.0/24 40.92.74.0/24 40.92.75.0/24 i.e. EUR04-HE1-obe.outbound.protection.outlook.com (HELO) sending from 40.92.73.10 The /16 is delegated to msft.net We have added