Like others who have commented, we believe weak encryption is worse than no encryption, so we have disabled TLSv1 and TLSv1.1 everywhere in our email systems, allowing only TLSv1.2 and TLSv1.3.
Best regards to all, Mark _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs From: "Brotman, Alex via mailop" <mailop@mailop.org> To: "Sidsel Jensen" <sidsel.jen...@open-xchange.com>, "<mailop@mailop.org>" <mailop@mailop.org> Sent: Thursday, August 4, 2022 1:14:17 PM Subject: Re: [mailop] [EXTERNAL] Disabling TLS 1.0 and 1.1 for MTA to MTA communication One of the things I find interesting here is that the question is whether to disable the protocol version. We’re not limited to just enable/disable for those versions to get the attention of the sender (assuming they’d even notice if they were going clear-text). A receiver could also impact them by limiting the number of messages per session, tarpit the sessions, number of messages per $time-period, or place the messages in the spam folder, etc. Could we name-and-shame for larger entities? Or report them to some entity that tracks security compliance? -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast From: mailop <mailop-boun...@mailop.org> On Behalf Of Sidsel Jensen via mailop Sent: Wednesday, August 3, 2022 6:34 AM To: <mailop@mailop.org> <mailop@mailop.org> Subject: [EXTERNAL] [mailop] Disabling TLS 1.0 and 1.1 for MTA to MTA communication Hi MailOps We were having a discussion on the possibility to disable TLS 1.0 and 1.1 for MTA to MTA communication, and based on the numbers we've seen so far, it doesn't look that far fetched. What's the common consensus in the mail community about this currently? It's already been disabled for our customers towards fx. imap and smtp, and we all agree those pesky old versions should be phased out, sooner rather than later, but have you also disabled it for MTA to MTA communication as well or are you still considering it? And what scenarios are currently holding you back? And what about PLAIN - do you still allow that as the fallback option or are you also considering disabling that? I'm looking forward to read your replies :-) Kind Regards, Sidsel Jensen Architect of Deliverability and Abuse @ Open-Xchange _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
