On 06/01/2021 13:23, Dan Malm via mailop wrote:
Just thought I'd spare others some troubleshooting in case you run in to
this, and see if anyone else have any thoughts on it. :)
My thoughts are `time for mail operators to pull their fingers out and
upgrade`. Because we are really saying `upgrade to something less than
8 years old`
It's a fair few years since rc4 was known to be no good. TLS1.2 has
been around since 2008.
And a good 5 years since people were having the discussions about DH -
params. https://news.ycombinator.com/item?id=9355649 and
https://en.wikipedia.org/wiki/Logjam_(computer_security)
At work, we've been writing to our regular customers who send TLS1.0
email or no TLS email and suggested they might want to talk to their IT
people about an upgrade.
I think MS exchange was patched for TLS1.2 in around 2012 (from memory),
but there might be a setting to turn it on. The mention of `your IT
people probably haven't patched your server in 8 years` has certainly
ruffled a few feathers and caused some pretty quick resolutions.
(I was hoping I could just block all email with less than TLS1.2 to
avoid spammers, but seemed to be one of two people who can't seem to change)
For anybody who wants an easy way to test a mail server:
https://internet.nl/ - pretty good checker for all kinds of stuff.
This one has fewer checks, but lets you check an outbound email as well:
https://ssl-tools.net/mailservers
https://www.hardenize.com/ - this one can test a zillion things on your
domain include DNSSEC, MTA-STS, DANE, DMARC. It incudes website stuff
in the tests. It is quite good fun getting a full set of greens.
--
Tim Bray
Huddersfield, GB
t...@kooky.org
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
