Mailing List CGatePro@mail.stalker.com Message #106994
From: Ralf Zenklusen, BAR Informatik AG r.zenklusen@barinformatik.ch <CGatePro@mail.stalker.com>
Subject: AW: TLS Sessions - current state of affairs
Date: Fri, 26 Oct 2018 10:47:23 +0200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.52.54.12/1.54.12.21
Hi Tom,
sending is getting more difficult since quite some time.
It seems that one or the other vendor changed the behaviour for TLS/SSL and they don't allow weak/old cyphers or TLS versions anymore.
But I'm sure there're still many old system out there that need these weak/old cyphers and TLS's.

Right now we still use "Secure wherever possible" with TLS 1.1 default. But with the above constellation the exception lists, to send plain, gets longer every day.

We'll switch to "TSL 1.2 with strong cyphers only" soon. Maybe 1.1 - still needs some testing.
This in combination with "Secure wherever possible" and the feature from 6.2.9 "decrease the security of the next delivery attempt until plain" should result in a good security with good compatibility.
In that case you will use plain with old systems, but they don't care and you can't change it.

Receiving is usually much less of a problem because CGate supports almost everything.

In any case you can use CGate's "Send Encrypted", "Require TLS", client certs, DANE etc. to further improve security - if you need to.

Regards
Ralf

-----Ursprüngliche Nachricht-----
Von: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com]
Gesendet: Freitag, 26. Oktober 2018 09:02
An: CommuniGate Pro Discussions
Betreff: Re: TLS Sessions - current state of affairs

Thanks for your response, Tom. I’m well aware of the tradeoff. However, I’m curious if someone has recently experimented with settings other than the most lenient ones. I mean, it might be that, for example, dropping SSLv3 support wouldn’t be a significant tradeoff anymore.


> On 25 Oct 2018, at 20:45, Tom Rymes trymes@rymes.com <CGatePro@mail.stalker.com> wrote:
>
> I don't think anything has changed? My understanding is that, in the context of a mail server, which will generally accept new messages in plaintext, fretting about the encryption strength of the TLS session is often considered to be excessive.
>
> The tradeoff is deliverability vs. encryption strength, as if you require encryption from everywhere, and/or require strong encryption, the list of servers that will be able to successfully exchange mail with your server will rapidly grow to be very short.
>
> It is up to each admin to choose the proper tradeoff for their needs?
>
> Tom
>
> On 10/25/2018 1:28 PM, Palvelin Postmaster postmaster@palvelin.fi wrote:
>>> On 16 Oct 2018, at 10:09, Palvelin Postmaster postmaster@palvelin.fi <CGatePro@mail.stalker.com> wrote:
>>>
>>> I wonder what the current state of affairs is with the various TLS Sessions options regarding old/insecure ciphers.
>>>
>>> Can/should the CBS and Weak Ciphers options already be disabled and what should the Oldest Accepted option be set to?

Palvelin.fi Hostmaster
postmaster@palvelin.fi


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster