Comcast: No more outdated TLS for inbound mail

Comcast is eliminating the ability to encrypt inbound email connections with old and insecure versions of TLS. On May 20, 2024, Alex Brotman from Comcast shared the following on the Mailop list:

Over the next few weeks, we're going to be disabling TLSv1/v1.1 inbound to our platform.  Most senders are already using TLSv1.2/v1.3, so I don't think this will be an issue.  However, keep in mind that if you're not already using those newer versions, you'll now revert to clear-text. Around the same time, we'll also begin negatively impacting reputation for clear-text senders (those without TLSv1.2/v1.3).

Putting on my (very stylish) deliverability hat, I always worry a little bit about whether or not it's wise to reject connections over an encryption issue, given Jon Postel's old adage, "be conservative in what you do, be liberal in what you accept from others." But truth be told, I don't know if this is really a big deal or not. It's always good to get outdated and broken versions of encryption mechanisms off of the playing field, but will it negatively impact the ability to deliver some legitimate mail? Comcast says that they believe the impact won't be huge.

And should this be much of a surprise? TLS 1.0/1.1 support is really meant to be long gone from the web and from email. So, it does overall feel like a good thing, and I hope any potential side effects are limited and resolvable.

Post a Comment