> On May 19, 2019, at 1:00 PM, Cyborg via Exim-users <[email protected]> > wrote: > > Problem is, that even if tls_1.2 is out since 2008, a communication > partner may use SSLv3 or TLS 1.0/1.1 and using just "encrypted = *" , > you will accept it.
My advice is to avoid knee-jerk reactions to mostly HTTP-related risks in SSL/TLS and adopt a crypto-maximalist posture with SMTP. Unlike interactive web browsing, MTA-to-MTA SMTP has no user to "click OK" when an unimportant site they're visiting (today's weather, not their bank) has no SSL, an expired certificate, ... Since LOGJAM and DROWN, the SMTP MTA "ecosystem" has moved on from "export" ciphers and SSL2/SSL3. You can now without loss of interoperability expect at least 128-bit ciphers and TLS 1.0. Which are adequate for SMTP, and better than cleartext. I am not aware of any cross-protocol attacks against TLS 1.2 via servers that use the same certificate with TLS 1.0/1.1. And you really don't have to and shouldn't use the same certificate across multiple unrelated services. > It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 , > and reject anything not 1.2 or 1.3. > > If your in the EU, you need to consider this, as ยง32 EU GDPR states > "the used technique(Encryption) to proctect the transport of personal > data has to be state of the art" aka TLS 1.2 or 1.3 . From the Gmail transparency report: https://transparencyreport.google.com/safer-email/overview we that some ~10% of email traffic is presently cleartext (not even TLS 1.0). Some major sources and destinations that never or only sometimes use TLS are: Top domains (World): Inbound Domain % From: adobe.com via adobesystems.com 87% From: aliexpress.com via alibaba.com 0% From: cmail19.com via createsend.com 92% From: cmail20.com via createsend.com 91% From: costco.com 0% From: cuenote.jp 90% From: emergencyemail.org 0% From: infusionmail.com 95% From: secureserver.net 59% From: timesjobs.com via tbsl.in 0% Top domains (World): Outbound Domain % To: alice.it via aliceposta.it 0% To: amazon.{...} 60% To: bigpond.com 0% To: btinternet.com via cpcloud.co.uk 0% To: docomo.ne.jp 0% To: ezweb.ne.jp 0% To: nauta.cu via etecsa.net 0% To: softbank.jp 0% To: uol.com.br 0% To: yahoo.co.jp 0% For Europe the top non-TLS peers are: Top domains (Europe): Inbound Domain % From: adidas.com via neolane.net 92% From: bebee.com 0% From: bloglovin.com 0% From: gog.com 27% From: kuponya.net 0% From: mail-cdiscount.com 0% From: meetic.com 87% From: radar-de-novidades.com 0% From: seniorplanet.fr 0% From: useinsider.com 44% Top domains (Europe): Outbound Domain % To: alice.it via aliceposta.it 0% To: amazon.{...} 0% To: btinternet.com via cpcloud.co.uk 0% To: istruzione.it 0% To: leboncoin.fr 0% To: pole-emploi.net via prosodie.com 0% To: sch.gr 0% To: t-online.hu 0% To: tin.it 0% To: tiscali.it 0% -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
