Re: [mailop] Disabling TLS 1.0 and 1.1 for MTA to MTA communication

Wed, 03 Aug 2022 07:55:33 -0700 

Ahoj,

Dňa Wed, 3 Aug 2022 13:34:02 +0200 (CEST) Sidsel Jensen via mailop
<mailop@mailop.org> napísal:

> Hi MailOps
>  
> We were having a discussion on the possibility to disable TLS 1.0 and
> 1.1 for MTA to MTA communication, and based on the numbers we've seen
> so far, it doesn't look that far fetched. What's the common consensus
> in the mail community about this currently? 

I do not know how community, but i have for 2-3 years already this
(GnuTLS):

    -VERS-TLS1.0:-VERS-TLS1.1:-RSA:-DHE-RSA:-GROUP-DH-ALL

In other words, i had disabled TLS1.0, TLS1.1, pure RSA and DHE. I did
check logs for last month and i see only 5 (five) incomming errors with
illegal or unsupported TLS version, all from suspicious hosts (by first
look on PTR)...

I have allowed TLS1.0 and TLS1.1 for outgoing MTA connections, but i
have no that connections in last time logged, but my outgoing mails
is on very low rate and mostly to the same hosts, thus that is not
representative at all.

The reason of this asymmetric settings is, that i decide to use
encrypted delivery even with old TLS versions (over PLAIN), as it is my
responsibility. When other side (MTA) decide do not support modern
TLS and delivers message in PLAIN, it is their responsibility, not
my one. If they decide do not support modern TLS and do not deliver
in PLAIN, it is again their decision.

Similar (even more strict) TLS settings i have on my MSA, and there are
problems with unsupported TLS version only from cracking attempts and
all my clients are able to connect with modern TLS. I provide **only**
tcp/465 for MSA from time, when it was standardized by RFC, while
even in that time all my clients was already using it.

The port 25 for MSA was deprecated years ago, and tcp/587 is
standardized as fallback only now. IMO here is very simple way to
notify clients that port 25 is not available for them -- do not
provide AUTH over it or deny AUTH with some informative message, soon
or later they will notice it (or will notice, that they cannot login).

It was more years ago, but i meet (big) ISP, which (i guess) used proxy
on port 25 which filtered STARTTLS EHLO response (Cisco ASA?) and thus
all SMTP connection was in PLAIN... I am happy, that we (my employer) is
not using it anymore.

regards

-- 
Slavko
https://www.slavino.sk

Attachment: pgpKAACR4qa7J.pgp
Description: Digitálny podpis OpenPGP

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to