On Thu, Jan 7, 2021 at 5:57 AM Dan Malm via mailop <mailop@mailop.org> wrote:
> On 2021-01-06 20:10, Tim Bray via mailop wrote: > > My thoughts are `time for mail operators to pull their fingers out and > > upgrade`. Because we are really saying `upgrade to something less than > > 8 years old` > > I fully agree. The state of TLS in the mail world is quite sad and it > would be great if we could all agree on actually keeping our systems up > to date... The problem is that it's not a system that I or you control > that need updating, it's someone else's. And our business model is not > "internet compliance police" it's providing a service that (among other > things...) delivers emails that our customers want to send, and as long > as the big giants in the industry are not the ones initiating this type > of change, the reaction from customers whose mail we can't deliver will > usually be one of "I don't care about security", "I'm just sending a > picture of my cat so security doesn't matter for this particular mail" > or "but (gmail|hotmail|yahoo) could send mails to this address perfectly > fine so why can't you?" > > The day gmail stops delivering to servers with legacy SSL I'll be happy > to do the same. > By the definition of SSL3 is legacy, that's been true for years. I don't know enough about the different cyphers to know if we still allow stuff that this change prohibits, though. We do still allow administrators to create 1024 bit DKIM keys because when we tried to change it, a large number of admins and the web-based DNS admin consoles they used couldn't handle the larger keys. That was years ago, though, so I don't know what the current status of those consoles is. We should have updated our services to handle keys and rotations better like O365 does, but that still hasn't happened yet. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
