Set up DMARC and see who's sending email using your brand's domain.
x

Security upgrades to SMTP sending — action may be required

Updated December 3, 2019 with new key dates.

We wanted to let you know about a few changes we’re making to SMTP sending in the coming weeks to make this endpoint more secure. These changes will only affect sending via SMTP. If you use only the Postmark REST API to send, no further action is required on your part.

Show details

What’s changing

The following changes will be made to our supported SMTP TLS configuration:

  • Deprecation and removal of TLSv1.0 support. Going forward we will only support connections via TLSv1.1 or higher.
  • Deprecation and removal of several older and less secure cipher suites.
  • Modification of cipher parameters to require larger key sizes.

We understand that this type of change can be disruptive, so we want to provide you with ample time to test and verify that your application will be able to continue sending mail using the updated security settings.

These are the key dates for these changes:

  • October 29th, 2019 (today): Deprecation announcement, and testing endpoints are made available.
  • January 27, 2020: “Blackout testing”. We will temporarily move SMTP traffic to the updated configuration for a few hours throughout the day so that customers that have not seen this notice are alerted to issues before the final cutover.
  • February 1, 2020: All production traffic will be moved to the updated security configuration.

The most significant change, which might affect you, is that we are disabling TLSv1.0 on February 1, 2020. This protocol is old and vulnerable, so we will be rejecting connection requests that use TLSv1.0.

What you need to do

Before the cutover date on February 1, 2020, we recommend that you perform some tests against the following temporary testing endpoint: future-smtp.postmarkapp.com. This endpoint matches the changes we’ll be making, so if everything works as expected, you’re good to go. Just switch back to using smtp.postmarkapp.com and no further action will be needed.

If you run into any issues using the temporary endpoint (i.e., your SMTP client is unable to connect), please change your SMTP client configuration to use TLSv1.1 or higher, or upgrade your SMTP client to a version that supports TLSv1.1 or higher. Documentation for SMTP clients will typically provide configuration options, where you can see how to set the connection to use TLSv1.1 or higher. If there is not a version of your SMTP client that supports TLSv1.1, you will need to select a new SMTP client that does support TLSv1.1 or higher in order to continue using Postmark.

If you are unable to get an SMTP client that is compatible with TLSv1.1 or higher working with the new SMTP endpoint, please contact our support team and let us know the following details:

  • What OS and SMTP client you’re using to connect, as well as any additional information that might be helpful (e.g., what PHP or OpenSSL version you are using).
  • Exact error message encountered when attempting to connect and log of the connection attempt.

We may be able to provide specific instructions for opting into using newer TLS configurations.

Once again, we are going to disable TLSv1.0 on February 1, 2020. Please perform all testing and make any necessary code changes before this date.

Please let us know if you have any questions about these changes.