Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

TLS versions 1.0 and 1.1 will be disallowed

Overview – Sep 1, 2023

Your email security is of paramount importance to Sophos Email. Both TLSv1.0 and TLSv1.1 are vulnerable to security attacks and consequently the use of the use of these versions has been removed from many servers. As a result, we have deprecated the support for the delivery over TLSv1.0 or TLSv1.1 of emails both inbound or outbound. And, January 1, 2024 onwards the delivery of emails over TLSv1.0 or TLSv1.1 will not be supported.

We have observed that a handful of customers continue to use TLSv1.0 and TLSv1.1, despite the known vulnerabilities. Please do not wait till the last minute to make this important and urgent change to prevent any attacker from exploiting the vulnerabilities.

Applies to the following Sophos product
Sophos Email

Impact

Beginning January 1, 2024, if you have not configured your mail server to stop using TLSv1.0 or TLSv1.1, then you will encounter TLS delivery failure errors.  These failed deliveries will disrupt your email communication, so please make the change as soon as feasible and before January 1, 2024.

What to do

You should ensure that your mail server is not restricted to TLSv1.0 or TLSv1.1 only. If your mail server remains restricted on or after January 1, 2024, your email communications will be disrupted.

Ideally, you should ensure that TLSv1.0 or TLSv1.1 are disabled on your mail server to prevent them from getting used accidentally for email flow and to ensure that your mail server is not vulnerable to any TLS security attacks.

We recommend that you benefit from use of TLSv1.3 that is supported by Sophos Email. The use of TLSv1.2 is also supported.

References