[AusNOG] Issues receiving from TPG Mail servers.

Scott Howard scott at doc.net.au
Tue Jul 24 13:59:21 EST 2018 

My take would be that for a general service provider, like TPG, you should
be as accepting as possible. That would including accepting clear text and
TLS 1.0 (although possibly not SSLv3).  Any specific sender or recipient
can enforce stronger limitations if they choose to do so.

For a provider that has any focus on security it's potentially a different
story. In that case enforcing TLS1.2 potentially makes sense, although it
the raises the question around what you do with servers that don't support
TLS at all, or like TPG at the moment, don't support TLS higher than 1.0
(is cleartext better than TLS1.0?)

Then there's the elephant in the room when it comes to SMTP around
certificate verification, and if/how you determine your talking to the
correct mail server (at which point you have to move the conversation over
to things like DNSSEC)

  Scott



On Tue, Jul 24, 2018, 09:48 Paul Wilkins <paulwilkins369 at gmail.com> wrote:

> Should TLS 1.0 be acceptable?
>
> I don't claim to be a crypto geek.
>
> Curiously the ISM standards make TLS 1.2 only advisory:
>
>
>    - Control: 1447; Revision: 0; Updated: Apr-15; Applicability: UD, P,
>    C, S, TS; Compliance: must; Authority: AA
>       - Agencies *must use TLS*.
>       -
>       - Control: 1139; Revision: 3; Updated: Apr-15; Applicability: UD,
>    P, C, S, TS; Compliance: should; Authority: AA
>       - Agencies *should use the latest version of TLS*
>
> Kind regards
>
> Paul Wilkins
>
> On 24 July 2018 at 11:10, Scott Howard <scott at doc.net.au> wrote:
>
>> On Mon, Jul 23, 2018 at 6:00 PM, Noel Butler <noel.butler at ausics.net>
>> wrote:
>>>
>>> You are the one choosing to use cpanel/plesk, lazy webhost solutions
>>> that puts all your customers eggs in the one single basket (though I heard
>>> plesk may soon be changing that), sorry, but that is not TPG's fault your
>>> chosen hosting software lives in the 90s.
>>>
>>
>> Perhaps not, but it IS TPG's fault that their mail server is only
>> supporting encryption algorithms that live in the 90's...
>>
>> Irrespective of the PCI argument or not, TPG supporting TLS 1.0 but not
>> higher in 2018 simply shouldn't be seen as acceptable.
>>
>>   Scott
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180724/28d84b6e/attachment.html>

More information about the AusNOG mailing list