On Fri, Jun 26, 2015 at 11:53 AM, Carl Byington <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 2015-06-25 at 13:25 -0700, Brandon Long wrote: > > We haven't implemented it yet, though we expect to in the near future. > > Does this mean that google will then refuse to deliver mail to sites > that: > > 1) advertise starttls in response to ehlo, and > 2) have a 512 bit DH key? > > That seems to be implied by "we (google) stopped falling back to > unencrypted connections..." > Yes, that's what I meant. We already fail delivery if you advertise STARTTLS and we can't negotiate, either because you don't have a key installed or whatever, or if your SSL version isn't compatible with ours. Ie, we recently started advertising for a TLS1.2 connection on outbound, which means some broken ssl3/tls1 clients won't be able to work with us anymore because they didn't correctly handle a TLS1.2 ask (even though it should be protocol compatible at that level). I imagine at some point we'll give up on SSL3 as well (the percentage is already pretty tiny). In this, as in so much else in life, the behavior of the giants (google, > microsoft, etc) will determine what is acceptable regarding delivery to > such sites. > > If we need to automatically fall back to an unencrypted connection > (ignoring the starttls offer from the server), users of sendmail will > need to script something to automatically add entries to their access > file. The current sendmail does not have any built-in support for such a > fallback. > > If google will refuse to deliver mail to such sites, that will remove > any pressure on sendmail and its users to implement such an automatic > fall back scheme. The burden is then entirely on those old receivers to > upgrade their DH keys. This is the outcome that I would prefer. > People have different requirements, but we can't maintain compatibility with the .001% if that breaks the security of the majority of our users. Theoretically we could start bucketing and send certain domains to the low quality bucket, but there are a lot of buckets. We do this on the web by sending older browsers to the old plain HTML version of Gmail, which doesn't make them happy... if one of these chasms is too far, then we may have to consider that. Brandon
_______________________________________________ mailop mailing list [email protected] http://chilli.nosignal.org/mailman/listinfo/mailop
