On Wed, Jul 28, 2021 at 04:39:39PM +0200, Josh Good <postfix.2016...@naleco.com> wrote:
> Hello everybody. > > I've been made aware of this communication recently received at some > site whose email is managed on-premises (i.e., not outsourced to any > big mailbox provider in the "cloud"): > > > From: Rhenus Logistics <no_re...@es.rhenus.com> > > Sent: 30 June 2021 17:05 > > To: [omitted] > > Subject: Email con TLS inferior a 1.2 / Email with TLS less than 1.2 > > > > Good Afternoon, > > We inform you that due to Rhenus security policies, as of 08/01/2021 > > receiving of emails that do not comply with version 1.2 of the TLS > > protocol will be restricted. > > All emails sent in particular to the domain @es.rhenus.com and in > > general to any Rhenus domain @*.rhenus.com must be sent with the TLS > > 1.2 protocol or higher. > > Any mail received without fulfilling this condition will be rejected > > by our server. > > Please forward this message to your IT department for consideration > > and action. > > If you have any questions, please head over your Rhenus contact > > > > IT //SERVICES > > The above could mean that starting 08/01/2021 their TLS support will > only support TLS 1.2 (and not any earlier TLS version) with their > inbound SMTP servers remaining configured in "opportunistic TLS" mode > --- or it could be read as if they will enable "smtpd_enforce_tls = yes" > (or "smtpd_tls_security_level = encrypt") in their inbound SMTP servers > (I don't know if they are using Postfix, but you get what I mean). > > If the case is the second one, is that a current trend? Has rfc2487 > been obsoleted and mandatory TLS is now considered "industry standard" > in publicly-referenced SMTP server? > > I've tried to contact Rhenus IT Services to inquire about this, but my > phone calls haven't gone through. So I thought I may as well ask this > list if this a single case or the "new normal"... > > Regards, > > -- > Josh Good Hi, RFC2487 has been obsoleted, but only because it's been replaced by RFC3207, and then further updated by RFC7817. It hasn't gone away. It's just been updated. Disabling plaintext/STARTTLS SMTP would be courageous. :-) On my little personal mail server, 75% of incoming connections to port 25 are plaintext. Only 25% use STARTTLS (by definition). Disabling STARTTLS would be a disaster, and stop all incoming mail. Of my incoming TLS connections, almost none of them are TLSv1.0 and none are TLSv1.1. It the past month, the numbers are: TLSv1.0 6 TLSv1.1 0 TLSv1.2 21902 TLSv1.3 4334 And the TLSv1.0 connections were all attempts at spam. Disabling TLSv1.0 and TLSv1.1 is probably mostly harmless, and they have been deprecated (RFC8996). At least, nobody will lose their job for disabling TLSv1.0 and TLSv1.1. :-) But the known flaws have been mitigated, so it doesn't actually matter (yet). But if any other flaw is discovered, I wouldn't expect it to be fixed. So leaving TLSv1.0 active means accepting the responsibility of keeping an eye out for the next flaw to be published, and disabling it then. I'm sure that Rhenus will still use STARTTLS on port 25. They'll just require STARTTLS to be used and they'll only support TLSv1.2+. The only alternative would be to close port 25, use port 465 (TLS-only) instead, and hope that all mail servers that want to send them email try to use port 465. But that's not going to happen. cheers, raf
