> Am 03.08.2022 um 13:48 schrieb Sidsel Jensen via mailop <mailop@mailop.org>: > > We were having a discussion on the possibility to disable TLS 1.0 and 1.1 > for MTA to MTA communication, and based on the numbers we've seen so far, it > doesn't look that far fetched.
As long as the MTA in question supports plaintext SMTP connections, disabling TLS 1.0 or 1.1 will not improve security of public, anonymous MTA to MTA connections, but *decrease* it, for the following reasons: A TLS encrypted SMTP connection protects against eavesdropping or altering of messages through MITM attacks, which can be either passive or active: a) An active MITM will simply strip off the STARTTLS keyword (always transmitted in the clear), thereby forcing the involved MTAs to fall back to plaintext communication. There are ready to be used tools to achieve that and it is infinitely easier to perform this attack than breaking even the oldest ciphersuites. So with an active MITM it doesn‘t matter if a MTA supports TLS 1.0, 1.2 or whatever version, because no TLS at all will ever be part of the connection. b) A passive MITM on the other hand will not be able to perform a downgrade attack (because well… he would be an active attacker in this case, for which see above). So if both MTAs support TLS 1.2 and a common ciphersuite, they are going to use that. It doesn‘t lower the security if one MTA additionally supports older SSL/TLS versions, as long as he tries with the newest first. If however the other MTA *only* supports TLS 1.0, disabling this version on your MTA will result in the connection falling back to plaintext, at least the MTA software I know of behaves this way. So instead of seeing a TLS 1.0 encrypted SMTP connection, which is next to impossible to break for a passive MITM, the attacker will instead be able to simply read everything in plaintext. Game over. For those reasons I recommend (again for public, anonymous SMTP connections) to enable all SSL and TLS versions that the system in use provides. This holds true until unencrypted SMTP connections are disabled and/or DANE gets any widespread usage. MTA-STS is out of scope here, since it restricts TLS to version 1.2 or higher anyway, regardless if a MTA would theoretically support older versions as well. For selected targets where you know that they support TLS 1.2 it makes sense to enforce this of course. The same is true for MUA submission, which should be restricted to implicit TLS 1.2 or newer (no STARTTLS support). Regarding the claims in this thread that TLS 1.0 would be as insecure as plaintext: I‘m honestly interested to learn about an attack against a TLS 1.0 encrypted SMTP connection by a passive attacker. — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 dmt...@dm.de<mailto:dmt...@dm.de> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop