1

Due to PCI-DSS now requiring that TLSv1 is disabled to pass our network scan I have the following issue.

Using

  • Kerio Connect mail server (www.kerio.co.uk)
  • Apple Mail (yosemite and all the way down to snow leopard)
  • iOS 8 devices

If I disable TLSv1 on the mail server , none of my mail clients can connect using IMAPS on port 993 - they just error.

There doesnt seem to be any output in the mail logs on yosemite either to really go by.

I've posted this on Apples forums, and there are others finding this too.

https://discussions.apple.com/thread/7043841

So the questions(s):

  1. Does anyone have Apple mail talking to a mail server which has TLSv1 disabled.
  2. Does anyone have iOS talking to a mail server which has TLSv1 disabled.
  3. Does Apple mail even support TLSv1.1 and up?

Thanks in advance.

Alex Hellier
  • 131
  • 5

1 Answers1

1

I ran a quick test of my IPad with TLS1 disabled, and was unable to connect to my mail server.

My first question would be why is your e-mail server in your PCI-DSS protected zone. You shouldn't be emailing credit card numbers and other protected data in a form that requires PCI compliance. Sending such data by email will break your compliance.

Move the email server outside the zone. TLS1 includes ciphers which don't meet the security requirements, but works fine with those ciphers removed. This likely may not pass compliance, but provides the same level of encryption. It is likely that here will clients that don't support TLS1.1 and up for a long time.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Thanks for the quick reply. We don't take or email card numbers or store them , but our mail server resides behind our firewall and so gets hit when we are scanned. I don't have any way to move it outside of our network, as, we only have a single network! – Alex Hellier Jun 04 '15 at 14:50