Deprecation of TLS version 1.0
For most people, it’s been looming about pretty silently over the past few years, but TLS v1.0, the oldest and earliest version of Transport Layer Security is considered deprecated. The Payment Card Industry (PCI) data security standard (DSS) version 3.2 from April 2016 recommends full deprecation by the end of June 2018.
In compliance with these standards, while originating from the payment card industry, widely regarded to as a guiding standard for other industries, Kolab Now has disabled support for TLS v1.0.
Why? What does that mean?
There are currently 3 versions of TLS (and a newer one on the horizon). TLS v1.0 had been introduced in 1999, and allowed a downgrade to the now known to be broken predecessor SSL v3.0 — thus weakening the security. It is furthermore theorized it could be vulnerable in some regards, but in reality that is only the case if it’s been mis-configured.
When a service provider such as Kolab Now disables TLS v1.0 on its infrastructure, it basically imposes a requirement on all clients to support TLS v1.1 or later. This isn’t a problem for any of your workstations, browsers or devices — so long as they are updated to something younger than 12 years old.
Among those clients that the Kolab Now infrastructure would require to support TLS v1.1 or later, would be SMTP clients — the pieces of infrastructure senders use to reach you.
As is tradition in the world of email, there’s always some infrastructure that is way out-of-date and way too old. This may include appliances that simply haven’t been updated, legacy systems lingering about, or even blackbox application servers that send mail directly.
Since we’ve disabled support for TLS v1.0, we get a number of reports every week of users complaining they can not receive email from certain senders. Kolab Now support staff and system administrators assist these users by determining the root cause, which is usually a TLS version negotiation error. This means the sending party uses some out-of-date software or equipment.
Our customers contact the sending party provided with the information we have, and most of the time, it will turn out to have been one or two systems from among many. Sometimes, it’s that one critical legacy blackbox software appliance. Most of the time, sending parties will be able to address the issue by avoiding the use of direct sending from infrastructure that does not support TLS v1.1 or later.
Symptoms for Kolab Now Customers
You appear unable to receive email from certain sending parties. It is possible only a sub-set of the communications appears to not arrive in your mailbox, as not all email communications may traverse over the same infrastructure.
What to do about it?
Contact Kolab Now support, and include the following information;
- The email address or domain name from which you expect communications to have arrived, that hasn’t.
- Describe to which extent you feel this concerns all communications or a sub-set of communications.
Kolab Now support staff and system administrators will be able to determine whether or not the issue is related to the deprecation of TLS v1.0.
Tips for Senders
We all know how difficult it can be to maintain, update and especially upgrade certain pieces of infrastructure, especially if they are business critical. Sometimes it’s just a special-purpose system none of the system administrators touch, and they happen to render themselves out-of-date. No worries; here’s a few tips:
- Update, upgrade or reconfigure the infrastructure allowed to send out emails to the rest of the Internet where you can.
- Use “relay” or “smart host” infrastructure to face the external Internet, so that is under maintenance and can be kept up-to-date, even if used solely by a few legacy systems.
- Contact a supplier of software and consultancy services that has expertise with integration in to large environments, such as Kolab Systems (contact sales).
If Not All Senders Are Compatible, Why Do It?
Any groupware services provider, even your own Kolab deployment has a choice to make between deprecating TLS v1.0 (recommended per security standards), or continuing to entertain a deprecated standard.
Kolab Now is not a service provider that compromises the security, real or perceived, practical, theoretical or hypothesized, to benefit a few communication peers at the cost of all others.