Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1839 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disabling TLS 1.1 within SMTP TLS configuration

Steve Scotter

Hi,

We've a XG230 running SFOS 18.5.2 MR-2-Build380

During a recent external pen test it's been reported our externally available SMTP service is supporting TLS 1.1 which is a risk because Numerous vulnerabilities have been found in TLS Version 1.1 including Padding Oracle attacks such as POODLE. PCI DSS 4.0 will be rolled out in mid-2021 and is expected to prohibit the use of TLS 1.1. (their words, not mine)

We use the XG's SMTP proxy feature to inspect email before it's delivered to our internal email servers.

Within Email -> General Settings -> SMTP TLS configuration we have Disable legacy TLS protocols ticked. The help message to the right hand side states...

We recommend that you disable legacy TLS protocols to overcome TLS vulnerabilities. This option will disable protocols earlier than TLS1.1.

I take that to mean it's disabled everything BEFORE TLS 1.1, but not TLS 1.1 itself. I can confirm SSL2, SSL3 and TLS 1.0 connection attempts are rejected externally to the SMTP proxy.

How can I disable TLS 1.1? Also, why is TLS 1.3 still not supported by the XG230?

References

en.wikipedia.org/.../Transport_Layer_Security

TLS 1.0 and 1.1 were deprecated in 2020

TLS 1.3 was August 2018

Regards

Steve



This thread was automatically locked due to age.
Parents Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?