On Sat, Aug 14, 2021 at 10:47:08AM -0400, Viktor Dukhovni
wrote:
> > On 14 Aug 2021, at 1:15 am, raf wrote:
> >
> > According to the hardenize.com security bingo site,
> > they get a green box for their mail server TLS, even
> > though they support TLSv1.0 (yellow), because they
> > don't supp
> On 14 Aug 2021, at 1:15 am, raf wrote:
>
> According to the hardenize.com security bingo site,
> they get a green box for their mail server TLS, even
> though they support TLSv1.0 (yellow), because they
> don't support anonymous ciphers (red). If they were
> supporting anonymous ciphers, it wou
On Fri, Aug 13, 2021 at 04:20:59PM +0200, Josh Good
wrote:
> Hello, to follow up on this issue regarding Rhenus.com and TLS 1.2,
> I confirm that mail flow to them without using the STARTTLS verb in the
> SMTP transaction, is working fine. So it looks like plain text SMTP is
> still allowed by t
On 2021 Jul 29, 10:01, Viktor Dukhovni wrote:
>
>
> > On 29 Jul 2021, at 8:17 am, raf wrote:
> >
> > The Rhenus email did say:
> >
> > "...must be sent with the TLS 1.2 protocol or higher.
> > Any mail received without fulfilling this condition
> > will be rejected by our server."
> >
> >
Sean McBride:
> On Thu, 29 Jul 2021 22:17:49 +1000, raf said:
>
> >That second sentence sounds to me like a definite
> >statement that an SMTP connection that doesn't initiate
> >STARTTLS will not be able to send email. At least, I
> >can't see how else to interpret those words.
>
> Which is an o
On Thu, 29 Jul 2021 22:17:49 +1000, raf said:
>That second sentence sounds to me like a definite
>statement that an SMTP connection that doesn't initiate
>STARTTLS will not be able to send email. At least, I
>can't see how else to interpret those words.
Which is an odd thing considering, accordin
Le 29/07/2021 à 18:46, Dominic Raferd a écrit :
> Some commercial vulnerability scan services (e.g. by Qualys,
> SecurityMetrics) which are required by payment providers regard
> TLSv1/TLSv1.1 as absolute fails for PCI DSS compliance and
> organisations that must meet PCI DSS
> (https://www.pcisecu
> On 29 Jul 2021, at 12:46 pm, Dominic Raferd wrote:
>
> Some commercial vulnerability scan services (e.g. by Qualys, SecurityMetrics)
> which are required by payment providers regard TLSv1/TLSv1.1 as absolute
> fails for PCI DSS compliance and organisations that must meet PCI DSS
> (https://w
On 29/07/2021 17:24, Josh Good wrote:
On 2021 Jul 29, 10:01, Viktor Dukhovni wrote:
On 29 Jul 2021, at 8:17 am, raf wrote:
The Rhenus email did say:
"...must be sent with the TLS 1.2 protocol or higher.
Any mail received without fulfilling this condition
will be rejected by our server."
On 2021 Jul 29, 10:01, Viktor Dukhovni wrote:
> > On 29 Jul 2021, at 8:17 am, raf wrote:
> >
> > The Rhenus email did say:
> >
> > "...must be sent with the TLS 1.2 protocol or higher.
> > Any mail received without fulfilling this condition
> > will be rejected by our server."
> >
> > That s
> On 29 Jul 2021, at 8:17 am, raf wrote:
>
> The Rhenus email did say:
>
> "...must be sent with the TLS 1.2 protocol or higher.
> Any mail received without fulfilling this condition
> will be rejected by our server."
>
> That second sentence sounds to me like a definite
> statement that
On Thu, Jul 29, 2021 at 09:13:39AM +0200, Josh Good
wrote:
> Well, it's not exactly clear, in the Rhenus notification, whether they
> are just disabling TLS 1.0, or that plus also disabling plain text SMTP.
>
> Viktor thinks it's just the first case. But we should not underestimate
> the push t
On Thu, Jul 29, 2021 at 10:37:46AM +0200, Matus UHLAR - fantomas
wrote:
> On 29.07.21 10:26, raf wrote:
>
> > On my little personal mail server, 75% of incoming
> > connections to port 25 are plaintext. Only 25% use
> > STARTTLS (by definition). Disabling STARTTLS would
> > be a disaster, and s
Dnia 29.07.2021 o godz. 12:26:49 Tobi pisze:
>
> Just take the case when they loose a huge customer order because
> customer still operates an Exchange 2003 server, which by best can talk
> TLS 1.0. Then Management will soon show up in IT department and highly
> probably ignore the fact that it wa
Josh,
On 7/29/21 9:13 AM, Josh Good wrote:
> Well, it's not exactly clear, in the Rhenus notification, whether they
> are just disabling TLS 1.0, or that plus also disabling plain text SMTP.
>
> Viktor thinks it's just the first case. But we should not underestimate
> the push that a checklist-bas
On Wed, Jul 28, 2021 at 04:39:39PM +0200, Josh Good
wrote:
Hello everybody.
I've been made aware of this communication recently received at some
site whose email is managed on-premises (i.e., not outsourced to any
big mailbox provider in the "cloud"):
> From: Rhenus Logistics
> Sent: 30 Jun
On 2021 Jul 29, 15:48, raf wrote:
> On Wed, Jul 28, 2021 at 11:20:03PM -0400, Viktor Dukhovni
> wrote:
>
> > On Thu, Jul 29, 2021 at 12:18:25PM +1000, raf wrote:
> >
> > > And similarly, port 25 will never be TLS-only. STARTTLS
> > > isn't going away.
> >
> > I am less certain that public Inte
Sounds like requirement from some security audit..
Eero
On Thu, Jul 29, 2021 at 8:49 AM raf wrote:
> On Wed, Jul 28, 2021 at 11:20:03PM -0400, Viktor Dukhovni <
> postfix-us...@dukhovni.org> wrote:
>
> > On Thu, Jul 29, 2021 at 12:18:25PM +1000, raf wrote:
> >
> > > And similarly, port 25 will
On Wed, Jul 28, 2021 at 11:20:03PM -0400, Viktor Dukhovni
wrote:
> On Thu, Jul 29, 2021 at 12:18:25PM +1000, raf wrote:
>
> > And similarly, port 25 will never be TLS-only. STARTTLS
> > isn't going away.
>
> I am less certain that public Internet SMTP will not in the next decade
> or two switc
On Thu, Jul 29, 2021 at 12:18:25PM +1000, raf wrote:
> Yes. That's why I said "But that's not going to happen".
> And similarly, port 25 will never be TLS-only. STARTTLS
> isn't going away.
I am less certain that public Internet SMTP will not in the next decade
or two switch to STARTTLS required.
On Wed, Jul 28, 2021 at 09:21:22PM -0400, Viktor Dukhovni
wrote:
> On Thu, Jul 29, 2021 at 10:26:09AM +1000, raf wrote:
>
> > The only alternative would be to close port 25, use port 465
> > (TLS-only) instead,
>
> This profoundly confuses the SMTP (relay) protocol with the
> SUBMIT protocol
On Thu, Jul 29, 2021 at 10:26:09AM +1000, raf wrote:
> The only alternative would be to close port 25, use port 465
> (TLS-only) instead,
This profoundly confuses the SMTP (relay) protocol with the
SUBMIT protocol. MTAs won't EVER send on port 465 or 587.
--
Viktor.
On Wed, Jul 28, 2021 at 04:39:39PM +0200, Josh Good
wrote:
> Hello everybody.
>
> I've been made aware of this communication recently received at some
> site whose email is managed on-premises (i.e., not outsourced to any
> big mailbox provider in the "cloud"):
>
> > From: Rhenus Logistics
>
Hi
imho this is a single case. Enforcing TLS on a public faced smtp port
makes no sense to me. Except if you want to reject quite a bunch of mail :-)
Sure TLS encrypted connections are preferable but to enforce it on an
incoming smtp server is sportive. They would better leave smtpd
encryption on
On Wed, Jul 28, 2021 at 04:39:39PM +0200, Josh Good wrote:
> > Subject: Email con TLS inferior a 1.2 / Email with TLS less than 1.2
> >
> > Good Afternoon, We inform you that due to Rhenus security policies,
> > as of 08/01/2021 receiving of emails that do not comply with version
> > 1.2 of the
Hello everybody.
I've been made aware of this communication recently received at some
site whose email is managed on-premises (i.e., not outsourced to any
big mailbox provider in the "cloud"):
> From: Rhenus Logistics
> Sent: 30 June 2021 17:05
> To: [omitted]
> Subject: Email con TLS inferior
26 matches
Mail list logo
