Grow with us: Join Postmark's new referral partner program and start earning
x

Upcoming TLS configuration changes for API users—action may be required

To ensure the continued security of our systems, we wanted to let you know about some upcoming changes to our TLS (Transport Layer Security) configurations for API access. These changes may affect your application’s ability to continue to send mail through Postmark, so please read through this post in detail. These changes do not affect sending via SMTP.

Show details

What’s changing

On April 13, 2021, we are going to (1) disable TLSv1.0 access, (2) disable all RC4 and low-strength ciphers, and (3) add HSTS headers.

Here’s the full timeline of the changes:

  • February 16, 2021 (today): Announcement of the changes, and testing endpoints are made available.
  • February 23, 2021: All Postmark customers are notified about upcoming changes via email and an in-app notification.
  • March 16, 2021: Dedicated email outreach to all accounts that are still connecting to Postmark via TLSv1.0.
  • March 23, 2021 (11 am ET - 12 pm ET): Perform “blackout” test, where we cut over to the new configuration for one hour in production.
  • March 25, 2021: Dedicated email outreach to all accounts that are still connecting to Postmark via TLSv1.0
  • March 30, 2021 (11 am ET - 11 pm ET): Perform another “blackout” test, where we cut over to the new configuration for 12 hours in production.
  • April 13, 2021: Cut over production to new configuration permanently.
  • April 20, 2021: Decommission temporary testing SSL endpoint.

We’ll discuss each change below, as well as your next steps to make sure sending isn’t interrupted.

Disabling TLSv1.0 access

TLSv1.0 has been deprecated, and we are following suit.

Impact: Connections that only support TLSv1.0 would not be able to connect anymore after this change.

Disabling all RC4 and low-strength ciphers

RC4 ciphers are considered weak and they are deprecated as well. Along with this, we are getting rid of any low-strength ciphers that are vulnerable to breaks as well.

Impact: Connections that only support these old/weak ciphers would not be able to connect anymore after this change.

Adding HSTS headers

HSTS (HTTP Strict Transport Security) headers tell web clients to only ever connect to a URL over HTTPS for a period of time (usually 6 months to 1 year). This prevents something called a “downgrade attack”, where users are tricked into visiting a version of a URL that is not secured or validated with TLS.

Impact: We are adding these headers in accordance with industry standards. There is no API connectivity impact.

What you need to do

If you send with Postmark via our API, please make sure that your sending infrastructure is able to deal with these changes prior to the April 13 cutover date.

We’ve set up a temporary endpoint at api-ssl-temp.postmarkapp.com that has these changes already applied. You can use this as an endpoint to test/validate against. Please be aware that there is no expectation of uptime on this endpoint, and that it will be shut down on April 20, 2021 with no further notice. It should only be used for temporary testing of non-production traffic.

If any of your tests with the temporary endpoint fail, updating your OpenSSL library should resolve the issue. If you are having trouble getting your API integration to work with this temporary endpoint, please contact our support team and let us know the exact error message encountered when attempting to connect, and a log of the connection attempt. We may be able to provide specific instructions for using newer TLS configurations.

Additional details related to specific libraries