Open psychofaktory opened 2 years ago
I am a bit reluctant in dropping <TLSv1.2 (at least by default) just yet. Unlike web browsers that get new versions relatively quickly and where old versions not supporting new protocols are dropped almost as soon as they are considered obsolete, some mail servers might still be running legacy software that doesn't support TLSv1.2. MIAB (and by consequence this fork, too) even supports mail to be sent or received in the clear if the other side doesn't support encryption.
According to Google, a chunk of the mail is still delivered in plaintext: https://transparencyreport.google.com/safer-email?hl=en
This said, there are some parameters that can for sure be improved without compromising compatibility too much. I'll be looking into that in the following days :)
Thanks for this! The greatest possible compatibility should of course remain guaranteed. But MIAB has always stood for authenticity and security. Especially this great fork I see as a pioneer regarding modern standards. I think a compromise should be found here.
Holding on to old standards for compatibility reasons ultimately only leads to a slow decline in their spread globally.
An example for commercial and very common mail service providers with modern standards are: gmail.com posteo.de
Not a lot, essentially I've updated the list of very old cipher suites that shouldn't even be used at all and enabled the server suite preference (i.e. the server picks the cipher algorithm), but that should bring it a bit closer to what you're aiming for.
As test tools show, this area should be adjusted somewhat: https://www.hardenize.com/report/duqued.net/1644785601#email_tls https://tls.imirhil.fr/smtp/duqued.net https://www.immuniweb.com/ssl/central.duqued.net/KK1XjNVd/
TLSv1.0 and TLSv1.1 should be disabled, the used Cipher-Suites and ECDH curves and their order should be reviewed, so that the server meets the current security standards. I have found a recommendation for this here: https://ciphersuite.info/cs/?tls=tls12&security=recommended&software=openssl&sort=desc&singlepage=true
I found a description for the required adjustments here: https://the-digital-native.de/?p=26
The tests also indicate that the nginx configuration of the web server could still be improved: https://securityheaders.com/?q=central.duqued.net&hide=on&followRedirects=on