On Tue 2015-Jun-30 01:04:48 +0200, Michelle Sullivan <miche...@sorbs.net>
wrote:
That said, so far today, only 0.015% of our outbound messages that
were over an encrypted link were using SSLv3. At our volume, that's
not nothing, unfortunately, but it's a pretty small amount to allow to
continue to allow the possibility of breaking the rest. TLSv1 is
still about 5%, way too high to deprecate at this point.
Inbound is 0.1% at SSLv3, 37% at TLSv1.
So +60% is unencrypted inbound... because it has to be or because it is
not forced otherwise... that is the burning question. You policy
Encrypted or nothing and it'll be interesting how many cope and how many
don't...
Just to be clear: It sounds like you're talking about a scenario where
Google would require TLS inbound and possibly outbound and refusing *any*
cleartext delivery. Is that right? Correct me if I'm wrong, but I don't
believe Brandon's said anything to that effect. Any discussion so far has
been about "if STARTTLS && ( DHE -le 512 ) then disconnect",
possibly/probably with DANE in the mix as well and refusing to fall back to
clear if STARTTLS is initiated but fails to negotiate, but nothing about
refusing *all* cleartext SMTP from the get-go,
Michelle
--
Michelle Sullivan
http://www.mhix.org/
--
Hugo
_______________________________________________
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop