Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On 13.03.24 18:55, Slavko via mailop wrote: > Dňa 13. marca 2024 16:32:42 UTC používateľ Andrew C Aitchison via mailop > napísal: > >> Has anyone checked what traffic is still using TLS 1.0 or TLS 1.1 ? > > Yes, some infected machines from DZ, BR, AR, ID and so :-) So we are removing a perfec

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

Dňa 13. marca 2024 18:22:55 UTC používateľ Robert Giles via mailop napísal: >Sort of surprising, but I don't think JPMorgan Chase (large U.S. bank) is able >to do TLS 1.2+ Seems, that Central Europe banks are in better TLS condition ;-) regards -- Slavko https://www.slavino.sk/ ___

Re: [mailop] handling a TLS handshake failure

On Wed, Mar 13, 2024, Harald Hannelius via mailop wrote: > Are there SMTP-"clients" that actually are able to back down from STARTTLS > and continue unencrypted? Very unlikely. If the TLS handshake fails, a server usually drops the session because it is in an unknown state. What several clients

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

...on 2024-03-13 12:47:22, Marco Moock via mailop wrote: > I don't see a reason for supporting older versions anymore. Useless bit of trivia: OpenSSL 1.0.2 can do TLS 1.2 That version should be plenty backwards compatible - most of the cleanup work that removed support for old systems and comp

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On 2024-03-13 at 14:30:40 UTC-0400 (Wed, 13 Mar 2024 20:30:40 +0200 (EET)) Harald Hannelius via mailop is rumored to have said: Are there SMTP-"clients" that actually are able to back down from STARTTLS and continue unencrypted? I'm not aware of anyway to de-escalate after a STARTTLS on the

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On 2024-03-13 at 14:22:55 UTC-0400 (Wed, 13 Mar 2024 13:22:55 -0500) Robert Giles via mailop is rumored to have said: Sort of surprising, but I don't think JPMorgan Chase (large U.S. bank) is able to do TLS 1.2+ from their outbound JavaMail infrastructure in 159.53.111.0/24: I can confirm th

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On 2024-03-13 at 10:56:53 UTC-0400 (Wed, 13 Mar 2024 15:56:53 +0100) Marco Moock via mailop is rumored to have said: Am 13.03.2024 um 10:43:27 Uhr schrieb Bill Cole via mailop: Without one, disabling them is a cargo-cult praxis that is worse than any false sense of security provided to oblivi

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On Wed, 13 Mar 2024, Gellner, Oliver via mailop wrote: Sending MTAs which do not support modern crypto on the other hand are going to fall back to a unencrypted connection as soon as you disable older cipher suites. This allows any, even passive MITM to read and/or modify the messages. A clai

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On 3/13/2024 at 12:55, Slavko via mailop wrote: Has anyone checked what traffic is still using TLS 1.0 or TLS 1.1 ? Yes, some infected machines from DZ, BR, AR, ID and so :-) I checked last 90 days log now, i found only small number of plain text deliveries to me, but no one legitimate host wi

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

Dňa 13. marca 2024 16:32:42 UTC používateľ Andrew C Aitchison via mailop napísal: >Has anyone checked what traffic is still using TLS 1.0 or TLS 1.1 ? Yes, some infected machines from DZ, BR, AR, ID and so :-) I checked last 90 days log now, i found only small number of plain text deliveries t

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On Wed, Mar 13, 2024 at 05:24:37PM +0100, Marco Moock wrote: > Am 13.03.2024 um 17:06:03 Uhr schrieb Johann Klasek via mailop: > > > Is it not condescending to question to reason why someone has not > > already the opportunity to switch to TLS 1.2? > > Can you name some reasons? > I currently don

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On 2024-03-13 00:09, Andrew C Aitchison via mailop wrote: Given that the advice for SMTP is often to allow tls 1.0 and 1.1, rather than have it revert to unencrypted, this will is something to watch out for. TLS 1.0/1.1 have been deprecated in March 2021 (RFC 8996). Systems that are unable to

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On Wed, 13 Mar 2024, Marco Moock via mailop wrote: Am 13.03.2024 um 10:43:27 Uhr schrieb Bill Cole via mailop: Without one, disabling them is a cargo-cult praxis that is worse than any false sense of security provided to oblivious peers who can't do TLSv1.2 or better. What are legitimate re

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

Am 13.03.2024 um 17:06:03 Uhr schrieb Johann Klasek via mailop: > Is it not condescending to question to reason why someone has not > already the opportunity to switch to TLS 1.2? Can you name some reasons? I currently don't know one. -- Gruß Marco Send spam to 1710345963mu...@cartoonies.org _

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On 13/03/2024 16:43, Bill Cole via mailop wrote: What is "poor" or "weak" about TLSv1.0 and TLSv1.1 which is relevant in the context of SMTP, other than their easily-disabled support for weak ciphers? If you disable all the weak ciphers and key exchanges you're not left with a sign

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On Wed, Mar 13, 2024 at 12:45:08PM +, Michael Irvine via mailop wrote: > I'm in agreement. I don't see an issue. All the largest providers are > minimum TLS. 1.2. We have had many years to migrate. The internet does not consist just out of the "largest provider". Is it not condescending to

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

Dňa 13. marca 2024 14:43:27 UTC používateľ Bill Cole via mailop napísal: >Every time I see this argument, I am struck by an important question: > > What is "poor" or "weak" about TLSv1.0 and TLSv1.1 which is relevant > in the context of SMTP, other than their easily-disabled support for >

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On Wed, 2024-03-13 at 15:54 +0100, Marco Moock via mailop wrote: > Although, older SSL/TLS versions have some weaknesses and when they are > not offered, they can't be used, not even for downgrading attacks. Many > clients support an option to enforce TLS/STARTTLS. That will fail in > such a situa

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

Am 13.03.2024 um 10:43:27 Uhr schrieb Bill Cole via mailop: > Without one, disabling them is a cargo-cult praxis that is worse than > any false sense of security provided to oblivious peers who can't do > TLSv1.2 or better. What are legitimate reasons today not to use TLS 1.2 or 1.3? -- Gruß Ma

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

Am 13.03.2024 um 10:43:27 Uhr schrieb Bill Cole via mailop: > Without one, disabling them is a cargo-cult praxis that is worse than > any false sense of security provided to oblivious peers who can't do > TLSv1.2 or better. What are legitimate reasons today not to use TLS 1.2 or 1.3? -- Gruß Ma

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

Am 13.03.2024 um 08:39:33 Uhr schrieb Michael Orlitzky via mailop: > Whose sense of security is improved by sending those messages in > plaintext? None. If you want to transfer something making eavesdropping possible, encrypt the content end to end. Everything else must be considered as insecure.

Re: [mailop] Github Contact

Thanks you Tobias and Andy for forwarding this to the right people. Now I’ll wait for a reaction from GitHub. Best Regards, Andreas > Am 13.03.2024 um 09:48 schrieb Andreas Heil : > > Hi, > > Someone from GitHub on the list? > I'm receiving suspicious emails from GitHub which may require urgen

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On 2024-03-13 at 07:28:18 UTC-0400 (Wed, 13 Mar 2024 11:28:18 + (UTC)) L. Mark Stone via mailop is rumored to have said: > FWIW, our view is that poor encryption can be worse than no encryption, as it > can give the participants a false sense of security. This seems like a good > move to u

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

I'm in agreement. I don't see an issue. All the largest providers are minimum TLS. 1.2. We have had many years to migrate. Thanks, Michael Irvine | Network Lead Great Computer Solutions O: 847-763-0763 | M: 224-435-6331 E: m...@greatsys.com W: www.greatsys.co

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On 13.03.2024 at 12:28 L. Mark Stone via mailop wrote: > FWIW, our view is that poor encryption can be worse than no encryption, as it > can give the participants a false sense of security. This seems like a good > move to us. > We have configured Postfix in our Zimbra MTA servers to do only TLS

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On Wed, 2024-03-13 at 11:28 +, L. Mark Stone via mailop wrote: > FWIW, our view is that poor encryption can be worse than no encryption, as it > can give the participants a false sense of security. This seems like a good > move to us. > > We have configured Postfix in our Zimbra MTA servers

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

Am 13.03.2024 um 11:28:18 Uhr schrieb L. Mark Stone via mailop: > FWIW, our view is that poor encryption can be worse than no > encryption, as it can give the participants a false sense of > security. This seems like a good move to us. > > We have configured Postfix in our Zimbra MTA servers to

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

FWIW, our view is that poor encryption can be worse than no encryption, as it can give the participants a false sense of security. This seems like a good move to us. We have configured Postfix in our Zimbra MTA servers to do only TLS 1.2/1.3, and fall back to unencrypted if a TLS connection ca

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

Am 13.03.2024 um 12:04:22 Uhr schrieb Matus UHLAR - fantomas via mailop: > Iirc sendmail honored these settings, postfix hasn't. 8.18.1/8.18.1 2024/01/31 OpenSSL version 3.0.x is supported. Note: OpenSSL 3 loads by default an openssl.cnf file from a location specified

Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

On 12.03.24 23:09, Andrew C Aitchison via mailop wrote: https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#tls-10-11-and-dtls-10-are-forcefully-disabled-13 (which is mostly a template) suggests that TLS 1.0, 1.1 and DTLS 1.0 are "forcefully disabled" in the upcoming Ubuntu release

[mailop] Github Contact

Hi, Someone from GitHub on the list? I'm receiving suspicious emails from GitHub which may require urgent intervention. I already tried abuse@ but it is an autoresponder which says it is not monitored, and the web form does not work for this. Best Regards, Andreas

Re: [mailop] Mailbox Filling w. Opt-In/Sign-Up mails

Moin, > Create a random generated mail address that the person needs to send > an email to. Verify SPF/DKIM/DMARC strictly, so forging is much > harder and reject it with a proper message, maybe with a link that > explains the result. Yeah. I thought about that. _Technically_ the whole thing can

Re: [mailop] Mailbox Filling w. Opt-In/Sign-Up mails

On Tue, 2024-03-12 at 15:46 -0700, Michael Peddemors via mailop wrote: > Tobias, > > This does sound like a typical 'mail bomb', and there are even > services you can rent to mail bomb an enemy.. > > Used to only see it in the gamer community, kid stuff.. but it is > more rare than you think.. so

Re: [mailop] Mailbox Filling w. Opt-In/Sign-Up mails

Am 13.03.2024 um 08:39:17 Uhr schrieb Tobias Fiebig: > Which is part of the reason for this mail; Are there any best > practices beyond what i did above for preventing this form of abuse > (apart from 'wanna do "Captcha & Cloudflare" tonight' ? Create a random generated mail address that the pers

Re: [mailop] Mailbox Filling w. Opt-In/Sign-Up mails

Moin, > How do you prevent that abusers will enter many mail addresses and > you send out many test mails to people who never requested them? Now? Block-List skipping mail-sending for the most common providers and limiting in-flight tests for other domains. But with a sufficiently large botnet

Re: [mailop] Mailbox Filling w. Opt-In/Sign-Up mails

Am 12.03.2024 um 19:19:50 Uhr schrieb Tobias Fiebig via mailop: > over the past 2-3 weeks, I saw a slightly more filled queue for email- > security-scans.org; A lot of users seemed to start tests, but never > received the corresponding test mails; In most cases, the ESP hat > shutdown delivery to