On 01/13/2017 06:30 AM, Bastian Blank wrote:
On Thu, Jan 12, 2017 at 09:00:20PM +0000, Dominic Raferd wrote:
Just for amusement (it's been a long day) I had a look at the selected
encryption for incoming mails on one of our servers over the last few
months. One cipher and one protocol predominates
[ECDHE-RSA-AES128-GCM-SHA256 (128/128_bits) TLSv1.2] but quite a range
of others are used too, I would prefer to disable TLSv1(.0) because it
does not pass PCI DSS v3.2 but evidently that is not workable at the
Can you explain how PCI DSS applies to mail. Espcially for a public MX,
which can't use mandatory encryption?
Do you really send payment data via mail?
I run a mail server with a public MX that refuses insecure connections.
Yes it technically breaks the RFC but it also gets far far far far less
spam than any other public MX server I run. Not because spammers don't
try, but because they quite frequently don't try with TLS.
Public MX servers can use mandatory encryption. It's not like you are
going to be fined for not accepting insecure connections...