Security upgrades to SMTP sending — action may be required

We wanted to let you know about a few changes we’re making to SMTP sending in the coming weeks to make this endpoint more secure. These changes will only affect sending via SMTP. If you use only the Postmark REST API to send, no further action is required on your part.

Show details

What’s changing

The following changes will be made to our supported SMTP TLS configuration:

  • Deprecation and removal of TLSv1 support.
  • Deprecation and removal of several older and less secure cipher suites.
  • Modification of cipher parameters to require larger key sizes.

We understand that this type of change can be disruptive, so we want to provide you with ample time to test and verify that your application will be able to continue sending mail using the updated security settings.

These are the key dates for these changes:

  • October 29th, 2019 (today): Deprecation announcement, and testing endpoints are made available.
  • December 9th, 2019: “Blackout testing”. We will temporarily move SMTP traffic to the updated configuration for a few hours throughout the day so that customers that have not seen this notice are alerted to issues before the final cutover.
  • December 14th, 2019: All production traffic will be moved to the updated security configuration.

The most significant change, which might affect you, is that we are disabling TLSv1 on December 14, 2019. This protocol is old and vulnerable, so we will be rejecting connection requests that use TLSv1.

What you need to do

Before the cutover date on December 14th, 2019, we recommend that you perform some tests against the following temporary testing endpoint: future-smtp.postmarkapp.com. This endpoint matches the changes we’ll be making, so if everything works as expected, you’re good to go. Just switch back to using smtp.postmarkapp.com and no further action will be needed.

If you run into any issues using the temporary endpoint (i.e., your SMTP client is unable to connect), please contact our support team and let us know what OS and SMTP client you’re using to connect. We may be able to provide specific instructions for using newer TLS configurations.

Once again, we are going to disable TLSv1 on December 14, 2019. Please perform all testing and make any necessary code changes before this date.

Please let us know if you have any questions about these changes.

Sign up to receive new updates by email