Our mail servers now use stronger SSL/TLS settings

We’ve updated the SSL/TLS security settings on our mail servers to match current “best practices” for security.

Our customers shouldn’t notice any changes. We’re just mentioning this so that people know to contact us in the unlikely event they do have any trouble.

That said, if you do have any trouble, it’s probably because you’re using outdated, insecure mail software that you should update. If you can’t update it, but the changes prevent you from sending mail with the “SSL” option turned on in your program, you may need to turn off the “SSL” option for outgoing mail until you can update.

What changed on a technical level?

We’ve completely disabled the obsolete SSLv3 protocol, and we’ve increased the size of the Diffie-Hellman group prime from 1024 bits to 2048 bits. This matches the current recommended default settings for the Postfix SMTP software we use.

SSLv3 was disabled because it’s almost completely unused, according to our mail logs, but is vulnerable to various attacks that newer TLS protocols protect against.

The increased DH size is necessary because some clients are now treating smaller sizes as untrusted.