Re: IETF mail server and SSLv3

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 05 February 2016 22:46 UTC

Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Subject: Re: IETF mail server and SSLv3
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAMm+LwiSEvLLEXn=+sXzhN_X1hWFqhd1HhmfU3TiSauL=JOnRA@mail.gmail.com>
Date: Fri, 05 Feb 2016 16:48:07 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <6FC25506-7791-45A8-9A30-F0A2660A0450@dukhovni.org>
References: <01PWBMOLI82000008P@mauve.mrochek.com> <20160205211042.74052.qmail@ary.lan> <CAMm+LwiSEvLLEXn=+sXzhN_X1hWFqhd1HhmfU3TiSauL=JOnRA@mail.gmail.com>
To: ietf@ietf.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/MoXpIhabNiF4-zonbt1s1DqXPg8>
Precedence: list
Reply-To: ietf@ietf.org

> On Feb 5, 2016, at 4:40 PM, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> 
> I would be surprised by any legitimate SSL3 mail because the STARTTLS
> spec came long after TLS 1.0 was settled.

Surprise!

http://www.engardelinux.org/modules/index/list_archives.cgi?list=postfix-users&page=0279.html&month=2013-09

But that was in 2013, and my response was:

  As I mentioned, at this time, deprecating SSLv3 is most likely 
  counter-productive. I am hoping that in a couple of years it will 
  be a practical default for the SMTP client only, where you can 
  define exceptions for problem destinations via smtp_tls_policy_maps. 

  A polite note to their postmaster linking to this thread may 
  encourage them to start making plans to upgrade to inbound systems 
  that can support TLSv1 and up (strictly speaking the STARTTLS EHLO 
  response in SMTP promises support of TLS an IETF standard, not SSLv3).

The timeline for SSLv3 deprecation turned a bit better than I expected,
(for various reasons that were hard to predict in 2013), so at this point
"no SSLv2/SSLv3" is a good choice for both SMTP clients and servers.

-- 
	Viktor.

Re: IETF mail server and SSLv3 Lixia Zhang
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 John Levine
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
IETF mail server and SSLv3 IETF Chair
Re: IETF mail server and SSLv3 tom p.
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Jari Arkko
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Jari Arkko
Re: IETF mail server and SSLv3 Derek Atkins
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Lixia Zhang
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 Martin Rex
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Solarus
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Solarus
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Martin Rex
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Russ Housley
Re: IETF mail server and SSLv3 Randy Bush
Re: IETF mail server and SSLv3 Stephen Farrell
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Doug Barton
RE: IETF mail server and SSLv3 Christian Huitema