Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
982
Views
6
Helpful
3
Replies

ESA SMTP TLS

Go to solution
cyberurmel
Level 1
Level 1

‎11-18-2022 06:57 AM

Hello there, 

just perhaps a few simple questions for the professionals - could you be so kind to answer ? 

Mailsettings at moment : 

TLS 1.1  1.2 preferred for in and outbound 

questions : 

- anyone know when 1.3 is offered in ESA

- can i see how much from the incoming are using 1.1 instead of 1.2? 

i only find encrypted in summary . 

is it useful or best practices currently to disable 1.1 and set expected instead of preferred? 

thanks a lot 

 

Regards

 

 

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎11-18-2022 07:30 AM

The last roadmap I saw said 2H2023 (fiscal year, so... Aug?) They know that reporting on TLS1.1/1.2 etc. is weak, and more detailed reporting is coming, probably same time frame..
In the mean time you can look at your mail logs, they have the detail you're looking for.
I would check your logs for the past 6months... if no-one is using TLS1.1, you're probably safe turning it off...

View solution in original post

3 Replies 3

Go to solution
Ken Stieers
VIP
VIP

‎11-18-2022 07:30 AM

The last roadmap I saw said 2H2023 (fiscal year, so... Aug?) They know that reporting on TLS1.1/1.2 etc. is weak, and more detailed reporting is coming, probably same time frame..
In the mean time you can look at your mail logs, they have the detail you're looking for.
I would check your logs for the past 6months... if no-one is using TLS1.1, you're probably safe turning it off...

Go to solution
cyberurmel
Level 1
Level 1
In response to Ken Stieers

‎11-18-2022 08:14 AM

Hi Ken,



thanks a lot..



so i found nothing with

grep "TLSv1.1" mail_logs and a flood with grep "TLSv1.2" mail_logs



so you think that's an useful indicator to switch only to 1.2?

And as addon ..what do you think is better way - to accept only 1.2 or fallback to not encrypted? As I can see currently about 10 % is not encrypted.



Best Regards




0 Helpful

Go to solution
dukebox
Level 1
Level 1
In response to Ken Stieers

‎02-14-2024 04:33 PM

Any news on this potential better reporting for TLS (or no TLS) and cipher used as we are moving out of TLS1.0, 1,1,1,2 and now 1,3 ?

That would be really valuable to investigate and detect non-compliant senders! even more with YAHOO and GOOGLE enforcing TLS and DMARC compliance

ref : https://dmarcian.com/yahoo-and-google-dmarc-required/

0 Helpful
Customers Also Viewed These Support Documents