Use of TLS
for Email Submission and Access
cyberstorm.mu
88 Avenue De Plevitz Roches Brunes
Rose Hill
71259
Mauritius
+230 59762817
logan@cyberstorm.mu
Trinity College Dublin
Dublin
2
Ireland
+353-1-896-2354
stephen.farrell@cs.tcd.ie
Internet
This specification updates current recommendation for the use of
Transport Layer Security (TLS) protocol to provide confidentiality of email
between a Mail User Agent (MUA) and a Mail Submission Server or Mail Access
Server. This document updates RFC8314.
defines the minimum recommended version for TLS as version 1.1.
Due to the deprecation of TLS 1.1 in ,
this recommendation is no longer valid. Therefore this document updates
so that the minimum version for TLS is TLS 1.2.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in when they
appear in ALL CAPS. These words may also appear in this document in
lower case as plain English words, absent their normative meanings.
OLD:
"4.1. Deprecation of Services Using Cleartext and TLS Versions Less Than 1.1"
NEW:
"4.1. Deprecation of Services Using Cleartext and TLS Versions Less Than 1.2"
OLD
"As soon as practicable, MSPs currently supporting Secure Sockets
Layer (SSL) 2.x, SSL 3.0, or TLS 1.0 SHOULD transition their users
to TLS 1.1 or later and discontinue support for those earlier
versions of SSL and TLS."
NEW:
"As soon as practicable, MSPs currently supporting Secure Sockets
Layer (SSL) 2.x, SSL 3.0, TLS 1.0 or TLS 1.1 SHOULD transition their users
to TLS 1.2 or later and discontinue support for those earlier
versions of SSL and TLS."
OLD:
In Section 4.1, the text should be revised from:
"It is RECOMMENDED that new users be required to use TLS version 1.1
or greater from the start. However, an MSP may find it necessary to
make exceptions to accommodate some legacy systems that support only
earlier versions of TLS or only cleartext."
NEW:
"It is RECOMMENDED that new users be required to use TLS version 1.2
or greater from the start. However, an MSP may find it necessary to
make exceptions to accommodate some legacy systems that support only
earlier versions of TLS or only cleartext."
OLD:
"
If, however, an MUA provides such an indication, it
MUST NOT indicate confidentiality for any connection that does not
at least use TLS 1.1 with certificate verification and also meet
the minimum confidentiality requirements associated with that
account.
"
NEW:
"
If, however, an MUA provides such an indication, it
MUST NOT indicate confidentiality for any connection that does not
at least use TLS 1.2 with certificate verification and also meet
the minimum confidentiality requirements associated with that
account.
"
OLD
"
MUAs MUST implement TLS 1.2 or later. Earlier TLS and
SSL versions MAY also be supported, so long as the MUA requires at
least TLS 1.1 when accessing accounts that are
configured to impose minimum confidentiality requirements.
"
NEW:
"
MUAs MUST implement TLS 1.2 or later e.g TLS 1.3 . Earlier TLS and
SSL versions MAY also be supported, so long as the MUA requires at
least TLS 1.2 when accessing accounts that are
configured to impose minimum confidentiality requirements.
"
OLD:
"
The default minimum expected level of confidentiality for all new
accounts MUST require successful validation of the server's
certificate and SHOULD require negotiation of TLS version 1.2 or
greater. (Future revisions to this specification may raise these
requirements or impose additional requirements to address newly
discovered weaknesses in protocols or cryptographic algorithms.
"
NEW:
"
The default minimum expected level of confidentiality for all new
accounts MUST require successful validation of the server's
certificate and SHOULD require negotiation of TLS version 1.2 or
greater. (Future revisions to this specification may raise these
requirements or impose additional requirements to address newly
discovered weaknesses in protocols or cryptographic algorithms.
"
None of the proposed measures have an impact on IANA.
The purpose of this document is to document updated recommendations
for using TLS with Email services. Those recommendations are based on
.
The authors would like to thank Vittorio Bertola for his feedback.