You could also allow the TLS connection and then fail some percentage of mail attempts after that with a 5xx message to tell your admin to upgrade their encryption strength.
Failing the TLS negotiation typically has really terrible debuggability as the other thread about SHA1 on Gmail speaks to. Of course, error messages to regular customers that are meant for the admin is not the greatest solution to that, but we use what we have. TLS Reporting is the opposite utility in that situation, but this side relies on admins to have good logging/alerting for outbound, and the error handling for this is typically terrible... to be fair, the error handling for the underlying openssl/etc libraries aren't very verbose either, and hooking into them is complicated at best... (this is by memory, maybe it's improved since I worked with all of this for the SSL3 deprecation a decade ago, and maybe I'm also blaming openssl for what was actually issues with the wrapper library we were using, my memory is vague) Brandon On Thu, Aug 4, 2022 at 11:56 AM Brotman, Alex via mailop <mailop@mailop.org> wrote: > One of the things I find interesting here is that the question is whether > to disable the protocol version. We’re not limited to just enable/disable > for those versions to get the attention of the sender (assuming they’d even > notice if they were going clear-text). A receiver could also impact them > by limiting the number of messages per session, tarpit the sessions, number > of messages per $time-period, or place the messages in the spam folder, > etc. Could we name-and-shame for larger entities? Or report them to some > entity that tracks security compliance? > > > > -- > > Alex Brotman > > Sr. Engineer, Anti-Abuse & Messaging Policy > > Comcast > > > > *From:* mailop <mailop-boun...@mailop.org> *On Behalf Of *Sidsel Jensen > via mailop > *Sent:* Wednesday, August 3, 2022 6:34 AM > *To:* <mailop@mailop.org> <mailop@mailop.org> > *Subject:* [EXTERNAL] [mailop] Disabling TLS 1.0 and 1.1 for MTA to MTA > communication > > > > Hi MailOps > > > > We were having a discussion on the possibility to disable TLS 1.0 and 1.1 > for MTA to MTA communication, and based on the numbers we've seen so far, > it doesn't look that far fetched. > > > > What's the common consensus in the mail community about this currently? > > > > It's already been disabled for our customers towards fx. imap and smtp, > and we all agree those pesky old versions should be phased out, sooner > rather than later, but have you also disabled it for MTA to MTA > communication as well or are you still considering it? And what scenarios > are currently holding you back? > > > > And what about PLAIN - do you still allow that as the fallback option or > are you also considering disabling that? > > > > I'm looking forward to read your replies :-) > > > > Kind Regards, > > Sidsel Jensen > > > > Architect of Deliverability and Abuse @ Open-Xchange > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
