> On May 19, 2019, at 1:00 PM, Cyborg via Exim-users <exim-users@???> wrote:
>
> Problem is, that even if tls_1.2 is out since 2008, a communication
> partner may use SSLv3 or TLS 1.0/1.1 and using just "encrypted = *" ,
> you will accept it.
My advice is to avoid knee-jerk reactions to mostly HTTP-related
risks in SSL/TLS and adopt a crypto-maximalist posture with SMTP.
Unlike interactive web browsing, MTA-to-MTA SMTP has no user to
"click OK" when an unimportant site they're visiting (today's
weather, not their bank) has no SSL, an expired certificate, ...
Since LOGJAM and DROWN, the SMTP MTA "ecosystem" has moved on
from "export" ciphers and SSL2/SSL3. You can now without loss
of interoperability expect at least 128-bit ciphers and TLS 1.0.
Which are adequate for SMTP, and better than cleartext. I am
not aware of any cross-protocol attacks against TLS 1.2 via
servers that use the same certificate with TLS 1.0/1.1. And
you really don't have to and shouldn't use the same certificate
across multiple unrelated services.
> It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 ,
> and reject anything not 1.2 or 1.3.
>
> If your in the EU, you need to consider this, as §32 EU GDPR states
> "the used technique(Encryption) to proctect the transport of personal
> data has to be state of the art" aka TLS 1.2 or 1.3 .
From the Gmail transparency report:
https://transparencyreport.google.com/safer-email/overview
we that some ~10% of email traffic is presently cleartext (not
even TLS 1.0). Some major sources and destinations that never
or only sometimes use TLS are:
Top domains (World): Inbound
Domain %
From: adobe.com via adobesystems.com 87%
From: aliexpress.com via alibaba.com 0%
From: cmail19.com via createsend.com 92%
From: cmail20.com via createsend.com 91%
From: costco.com 0%
From: cuenote.jp 90%
From: emergencyemail.org 0%
From: infusionmail.com 95%
From: secureserver.net 59%
From: timesjobs.com via tbsl.in 0%
Top domains (World): Outbound
Domain %
To: alice.it via aliceposta.it 0%
To: amazon.{...} 60%
To: bigpond.com 0%
To: btinternet.com via cpcloud.co.uk 0%
To: docomo.ne.jp 0%
To: ezweb.ne.jp 0%
To: nauta.cu via etecsa.net 0%
To: softbank.jp 0%
To: uol.com.br 0%
To: yahoo.co.jp 0%
For Europe the top non-TLS peers are:
Top domains (Europe): Inbound
Domain %
From: adidas.com via neolane.net 92%
From: bebee.com 0%
From: bloglovin.com 0%
From: gog.com 27%
From: kuponya.net 0%
From: mail-cdiscount.com 0%
From: meetic.com 87%
From: radar-de-novidades.com 0%
From: seniorplanet.fr 0%
From: useinsider.com 44%
Top domains (Europe): Outbound
Domain %
To: alice.it via aliceposta.it 0%
To: amazon.{...} 0%
To: btinternet.com via cpcloud.co.uk 0%
To: istruzione.it 0%
To: leboncoin.fr 0%
To: pole-emploi.net via prosodie.com 0%
To: sch.gr 0%
To: t-online.hu 0%
To: tin.it 0%
To: tiscali.it 0%
--
Viktor.
