Hello, welcome to the Wednesday, August 28, 2019 edition of the Sandstone Storms and Stormers Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Based on a question from a couple weeks ago from Michael Vance about whether or not it's safe to require TLS or turn off older versions of TLS for email.

I did a little experiment to figure out whether or not large email providers are now accepting

email using TLS and if they are supporting TLS 1.2. Over the last few years of course

there has been a lot of emphasis on TLS configurations for web servers but other

servers like email of course are using TLS, and they often have been sort of neglected.

And what I found kind of confirms that, yes, most email providers and somewhere around 90% are

supporting TLS, are supporting TLS, but there are a couple outliers.

Now, I've found only one provider that supports TLS and only supports TLS 1.0.

There are a few providers, however, that don't support TLS at all. And of course, that makes it difficult to enforce

the use of TLS. The largest ISP within the United States that doesn't support TLS is United

Online. That's Juno and Net Zero. There are a couple of ISPs in China. Yahoo! Japan does not support TLS.

And then there are a few other countries like one Brazilian, a couple Italian ISPs that do

not support TLS at all.

Now after posting this, I got some feedback from a couple other users via Twitter.

One stated that Denmark now requires TLS for email. And the state government in Germany just

announced last week that they will only use TLS 1.2 for email and reject all other TLS connections.

Now, based on my results, I personally think it's a little bit too early to outright require

TLS. You will run into some issues. I don't have a good handle as to how many email users

are behind these ISPs that don't support TLS.

...