Action required: Upcoming TLS configuration changes

[v-ken]

Thank you so much for your work here!

Just wanted to confirm if this package will be affected by the Postmark upcoming TLS configuration changes?

The email below was received just a few hours ago:

Hi there, To ensure the continued security of our systems, we wanted to let you know about some upcoming changes to our TLS (Transport Layer Security) configurations for API access.These changes may affect your application’s ability to continue to send mail through Postmark, so please read through this email in detail. You can also read through these changes on our website.These changes do not affect sending via SMTP.

What’s changingOn April 13, 2021, we are going to (1) disable TLSv1 access, (2) disable all RC4 and low-strength ciphers, and (3) add HSTS headers.Here’s the full timeline of the changes:February 2021: Announcement of the changes, and testing endpoints are made available.March 23, 2021: Perform “blackout” test, where we cut over to the new configuration for one hour in production.March 30, 2021: Perform another “blackout” test, where we cut over to the new configuration for 12 hours in production.April 13, 2021: Cut over production to new configuration permanently.April 20, 2021: Decommission temporary testing SSL endpoint.We’ll discuss each change below, as well as your next steps to make sure sending isn’t interrupted.
Changes and impact(1) Disabling TLSv1 accessTLSv1 has been deprecated, and we are following suit.Impact: Connections that only support TLSv1 would not be able to connect anymore after this change.(2) Disabling all RC4 and low-strength ciphersRC4 ciphers are considered weak and they are deprecated as well. Along with this, we are getting rid of any low-strength ciphers that are vulnerable to breaks as well.Impact: Connections that only support these old/weak ciphers would not be able to connect anymore after this change.(3) Adding HSTS headersHSTS (HTTP Strict Transport Security) headers tell web clients to only ever connect to a URL over HTTPS for a period of time (usually 6 months to 1 year). This prevents something called a “downgrade attack”, where users are tricked into visiting a version of a URL that is not secured or validated with TLS.Impact: We are adding these headers in accordance with industry standards. There is no API connectivity impact.
----- | -----

What you need to doIf you send with Postmark via our API, please make sure that your sending infrastructure is able to deal with these changes prior to the April 13 cutover date.We’ve set up a temporary endpoint at api-ssl-temp.postmarkapp.com that has these changes already applied. You can use this as an endpoint to test/validate against. Please be aware that there is no expectation of uptime on this endpoint, and that it will be shut down on April 20, 2021 with no further notice. It should only be used for temporary testing of non-production traffic.If any of your tests with the temporary endpoint fail, updating your OpenSSL library should resolve the issue. If you are having trouble getting your API integration to work with this temporary endpoint, please contact our support team and let us know the exact error message encountered when attempting to connect, and a log of the connection attempt. We may be able to provide specific instructions for using newer TLS configurations.If you have any questions, just reply to this email. We’re here to help!

[kbadova]

Hi there 👋

Can you confirm that this package will be affected by the Postmark upcoming TLS configuration changes?

Thanks ✌️

[Stranger6667]

Hi! Sorry for the late response.

Not likely, even if it is installed with the minimum required requests version (2.20). If you use the latest version of this package (and Python 3.6+ consequently) & don't patch your Python interpreter to support some old OpenSSL version, I'd expect that postmarker will use a recent TLS version.

This behavior is platform-dependent, though, depending on the Interpreter version, OS syscalls & OpenSSL version. I don't know if your particular Python installation & dependencies, so I can't guarantee that it will work 100%. But I can add a config option to the package, so you can add the URL for testing api-ssl-temp.postmarkapp.com and verify the behavior in your environment.

Cheers

[Stranger6667]

You can verify it with 0.17.1:

postmark = PostmarkClient(
    server_token="SERVER_TOKEN",
    account_token="ACCOUNT_TOKEN",
    root_api_url="https://api-ssl-temp.postmarkapp.com/"
)

[kbadova]

Awesome! Thank you!

[Stranger6667]

I assume that this issue could be closed, given the timeline of the TLS change.