Email Protection : TLS Version and Ciphersuite selection
Dear Sophos Team,
please add an TLS Version selector to the Email Protection settings, like it's already done in "Webserver Protection > WAF > Advanced".
In addition, please add an Ciphersuite Selector, so advanced users can specify further down which ciphersuite ( ECDH-* / DHE-*/ AES-*/ .. / ) they want to use.
TLS Version can be set via GUI in 9.510
Please add support to make Tls 1.2 for SMTP mandatory with means to make exceptions to that.
Please add Tls 1.2 for SMTP
This is an odd thing for the PCI scan to be worried about. If the encryption setup is rejected for using an insufficiently-secure ciphersuite, then it will fall back to an unencrypted connection. This does nothing to prevent a man-in-the-middle downgrade attack, it only makes things easier for the attacker. For email, poor encryption is better than none.
Disabling unencrypted email is not viable, because too much legitimate mail still arrives unencrypted.
I guess ciphersuite control could be important for TLS-required correspondents, but I have found no uses for this feature. Even one of the biggest insurance companies, which uses encrypted communication everywhere that it might needed, does not use encryption for marketing information sent under their identity.
If you are not doing encryption-required, the PCI scan issue is silly, and you should just post an exception to the objection.
YASU (Yet another Sophos user) commented
....and please add the TLS selector _immediately_. To be PCI Compliant all TLS V1 settings have to be deactivated and actually this is still a manual job, editing a conf-file. This is more than oldschool. And if I forget to control the exim-settings (Every update resets the manual settings), the external *********** test fails and has to be repeated. Please!