We were having a discussion on the possibility to disable TLS 1.0 and
1.1 for MTA to MTA communication, and based on the numbers we've seen
so far, it doesn't look that far fetched.
And what about PLAIN - do you still allow that as the fallback option
or are you also considering disabling that?
Hardening your MTA's TLS configuration and potentially causing TLSv1.0
and TLSv1.1 clients to fall back to plaintext is counterproductive. The
first step should really be disabling plaintext.
In parallel to that, if there's a wish to enforce good TLS, how's your
MTA-STS support? Both incoming and outgoing?
It's already been disabled for our customers towards fx. imap and
smtp, and we all agree those pesky old versions should be phased out,
sooner rather than later, but have you also disabled it for MTA to MTA
communication as well or are you still considering it? And what
scenarios are currently holding you back?
In theory that's nice, MUAs do tend to be more up-to-date and there
might be downgrade attacks that this would prevent. *But...*
There's no MUA-STS, most clients are relatively trivially downgrade-able
(hopefully with /some/ user interaction, but pestering the user tends to
work). So does that hardening actually help or potentially force some
old printers (etc.) to stop working or require a plaintext proxy?
[...] pesky old versions should be phased out, sooner rather than
later [...]
Pesky old versions, what about "new" versions? Do you support TLSv1.3?
Lastly, RFC8314 (re)defines port 465 as implicit TLS SMTP submission
port. Implicit TLS is considered a significantly better approach than
upgrading connections. Do you support that?
Wishing you a good day,
Taavi
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
