Hello list, I am the founder/developer of Hardenize. I was alerted to this thread by one or two participants (thanks!) and I thought it would be a good idea to join the list to respond. (I don't have an earlier email from the same thread to respond to, but perhaps reusing the same subject may do the trick.) I've read the entire thread and here are my thoughts:
- Wherever you're seeing unexpected results, the root cause is probably some sort of server throttling of our connections. To discover all supported TLS suites we need one connection per suite, and then we do that for each protocol separately. If in doubt, whitelist outbound.hardenize.com and try again. - At present our report tries to be factual, without any recommendations except for the obvious. As a rule of thumb, if the report card (left) shows orange or red, that's because something is broken or clearly insecure. We may show additional orange and red on the right, but we often do that to call out some insecure elements. For example, TLS 1.0 as a protocol is weak and we need to call it out as such, even if it's all right (or acceptable) to use with SMTP. - As a rule of thumb, I think it would be very difficult for a commercially-viable operation to eliminate all the warnings. - When it comes to SMTP and TLS, we think that servers should support modern protocols (so TLS 1.2 or better) with forward secrecy. That's pretty much it, except for some protocol elements that are so dangerous that could be used to compromise other servers (e.g., HTTPS). We have different (stricter) requirements when MTA-STS is enabled. - Re DMARC, at this point I believe we factually report on whether DMARC is supported, without endorsing a particular configuration. When we start to recommend it, we will add more content to describe the caveats. If you have specific objections and recommendations, I'd appreciate it if you could open a ticket here https://github.com/hardenize/hardenize-public/issues and we'd be happy to discuss and learn. Please have in mind that our report is by no means complete today; we're on a journey and we have a pretty long to-do list internally of things we wish to work on and improve. Many thanks. -- Ivan
