Time to throw a unix box with Postfix in front of that Exchange server, if you're not upgrading or shutting it off.
FWIW, I have indeed seen Google update the encryption status of a domain; the icon went away for mail composition to some of the domains I oversee. It actually took longer than a day, but that doesn't mean Brandon is wrong about how their process works; it could mean it just took longer than a day to see enough data to warrant an update, or there are so many domains in the world that Google doesn't examine each single one every day. So hang in there, I do think you'll see it update. Cheers, Al -- Al Iverson www.aliverson.com (312)725-0130 On Fri, Apr 1, 2016 at 12:06 PM, Eric Henson <ehen...@pfsweb.com> wrote: > http://blogs.technet.com/b/exchange/archive/2015/07/27/exchange-tls-amp-ssl-best-practices.aspx > > > > Exchange 2003 is out of support. > > Exchange 2007 support ends 4/11/2017. > > Exchange 2010 and later best practice is to disable RC4 and SSLv3. > > > > I’d say it may be best to leave RC4 enabled until 4/11/2017, but my PCI > scanning vendor disagrees. > > > > > > From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Franck Martin > via mailop > Sent: Friday, April 1, 2016 11:27 AM > To: Kirk MacDonald > Cc: mailop@mailop.org; Tim Bray > > > Subject: Re: [mailop] Gmail red open padlock composing message > > > > RC4 is a conundrum, it is about the only cypher you can negotiate with old > MS-Exchange, so if you disable it, then the email will go in clear text. > Which one is better? Clear text or RC4? Or too bad for old mail servers? > > > > PFS or Elliptic ciphers are asymmetric in implementation, so you need to > check what's negotiated as a sender and as a receiver. > > > > Finally it seems some systems do not fall back anymore, if you initiate > STARTTLS and can't negotiate it, then you can't send email in clear text. > > > > And then look at SMTP STS > > > > On Fri, Apr 1, 2016 at 6:00 AM, Kirk MacDonald > <kirk.macdon...@corp.eastlink.ca> wrote: > > Whoops, I fully intended to audit the available ciphers; clearly I missed > doing that. Should be OK now. > > Tragically, PFS is not (yet) supported on the TLS mechanism I am making use > of. I hope to be able to change that in the somewhat near future. > > > -----Original Message----- > From: Tim Bray [mailto:t...@kooky.org] > Sent: Friday, April 01, 2016 5:58 AM > To: Kirk MacDonald <kirk.macdon...@corp.eastlink.ca>; mailop@mailop.org > Subject: Re: [mailop] Gmail red open padlock composing message > > On 31/03/16 17:38, Kirk MacDonald wrote: >> With thanks to Google for pushing the cause, I implemented STARTTLS >> functionality on my org’s MX (as well as outbound SMTP with >> opportunistic STARTTLS). > > > Firstly - well done for doing it. Everybody should be enabling TLS. > > Did you test the install? > > You have TLS, but there are some issues with your setup: > > https://ssl-tools.net/mailservers/corp.eastlink.ca > > So you need to disable the RC4 cipher. Everybody suggests it is insecure. > > Also you don't support the correct ciphers for Perfect Forward Secrecy. > > > I'm not sure whether this affects whether google shows the padlock or > not. Best practice is to get it fixed. > > I think ssl-tools.net is the best test for TLS mailservers. You can > test your mail sending as well. > > > For webservers, use https://www.ssllabs.com/ssltest/ to test. There is > also a tool to help make good configs at > https://mozilla.github.io/server-side-tls/ssl-config-generator/ > > What I've realised over the last year or so is that SSL/TLS isn't > something you can just fiddle with until it works. If you want it > secure, across all browsers, it needs some work. > > https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ is an > excellent book. > > > Tim > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
