This article applies to:
- Trustwave MailMarshal (SEG)
- TLS transport for email
Question:
- Does MailMarshal (SEG) block "older TLS" versions by default?
- What versions of TLS does MailMarshal (SEG) accept?
Reply:
Some standards, such as PCI DSS, require SMTP servers to remove support for TLS v1.0 and TLS v1.1. However, this requirement is contentious.
- Most vulnerabilities require the ability to replay the same session, which is only easily achieved with HTTPS (web) connections. No attacks have been reported against SMTP secured traffic.
- There is no simple solution like "upgrade your end user browser" for email. Many SMTP endpoints run old software and, sometimes, administrators are not even aware their servers do not support higher TLS versions.
Trustwave's current stance is as follows:
- SEG allows each customer to choose the versions of TLS that they use and accept.
- SEG will support TLS v1.0 and TLS v1.1 for SMTP as long as the third party TLS/SSL library includes support for these versions. As of late 2023, support for these versions continues but v1.0 in particular is strongly deprecated.
- Statistical data from Trustwave customers and Trustwave's own SEG installations indicate more than 10% of legitimate inbound SMTP traffic still uses the TLS v1.0 protocol, with no support for higher protocols (SMTP servers negotiate the highest available level).
- Data on outbound traffic shows between 5% and 10% using TLSv1.0.
- Based on the above data, Trustwave has no plans to disable TLS v1.0 or TLS v1.1 by default.
- Two large and security conscious vendors still accept TLS v1.0 and TLS v1.1 (Office365 and Gmail/GSuite).
Customers can determine the number of connections using TLS v1.0 and TLS v1.1 by analyzing their SEG log files. These files show the TLS version used to communicate with the remote client/server. Customers may choose to disable these protocols for the sender and/or the receiver based on their analysis and business needs.
Notes:
SEG 10.X adds support for TLSv1.3.