Tue Jul 23 12:40:59 CEST 2013
And apparently this only escalated because we failed to address it in private,
during support, which he claims did not respond to him:
That's not cool, at all.
He also states that Qualys is irrelevant as response, because it never tests
SMTP ports, see end of this conversation:
This reputational risk is still severe, and live.
We need a public page on the kind of settings we're using for what, and why.
So likely an explanation of the kind:
SMTP -> only incoming, fairly liberal because any encryption is better than
SUBMISSION -> user mail transport, using only strong cyphers: [details]
HTTP -> never used
HTTPS -> strongest setup, following these principles: [details]
HSTS & Co as general principles.
Also, any improvement to this setup would be always good, as per
title="ASSIGNED --- - Improve SMTP/IMAP/HTTP encryption settings to pass starttls.info"
href="show_bug.cgi?id=3209#c0">https://issues.kolab.org/show_bug.cgi?id=3209#c0</a> guidelines and such.
But keep in mind that these are different applications, protocols, ports.
So we need a per-protocol policy explanation and configuration background, also
for ourselves. With a public version that explains how this is the best
possible at the moment.
And meanwhile I'll look into getting ourselves a better cert with SHA256, for
that's obviously needed. I'll likely be looking at an organisational verified
cert, and am thinking to up the "Swissness" of things for marketing purposes,
and because of <a href="https://mykolab.com/faq#comdomain">https://mykolab.com/faq#comdomain</a>
So *.mykolab.ch seems like what we want.
Which means we will need to update our configuration a bit, and need to think
how to handle the transition from .com to .ch.</pre>
<span>You are receiving this mail because:</span>
<li>You are on the CC list for the bug.</li>
More information about the websites-team