On Thu, Oct 16, 2014 at 07:14:52AM +0200, Robert Schetterer wrote:
> >> 4 SSLv3
> >> 22353 TLSv1
> >>
> >> 2 SSLv3
> >> 17664 TLSv1
> >
> > Yep, "slightly negative". The magnitude of the effect will vary
> > from site to site.
>
> Yes you're right
My own small server, had six SSLv3 inbound connections out of a
total of 44,000 TLS connections since August. No outbound connections
were SSLv3, but the sample size is much smaller (~1500).
All six inbound connections tried to send spam:
Aug 12 05:02:10 amnesiac postfix/smtpd[28710]: Anonymous TLS connection
established from unknown[200.175.93.98]: SSLv3 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
Aug 25 17:20:27 amnesiac postfix/smtpd[17196]: Anonymous TLS connection
established from unknown[91.185.31.90]: SSLv3 with cipher DES-CBC3-SHA (168/168
bits)
Sep 3 06:28:38 amnesiac postfix/smtpd[28869]: Anonymous TLS connection
established from static-ip-2-87-134-202.rev.dyxnet.com[202.134.87.2]: SSLv3
with cipher DHE-RSA-AES256-SHA (256/256 bits)
Sep 14 12:34:08 amnesiac postfix/smtpd[18452]: Anonymous TLS connection
established from m6.dothost.co.kr[61.72.254.206]: SSLv3 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Sep 25 22:29:32 amnesiac postfix/smtpd[26840]: Anonymous TLS connection
established from mail.cisn.com[209.151.144.20]: SSLv3 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Sep 25 22:42:46 amnesiac postfix/smtpd[22524]: Anonymous TLS connection
established from mail.cisn.com[209.151.144.20]: SSLv3 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Had SSLv3 been disabled these would probably have been retried in
cleartext, making no difference.
At most Postfix sites neither disabling SSLv3 nor leaving it enabled
makes any significant difference. At a few it might reduce security
for a trickle of sensitive mail, or deny access to ancient MUAs.
Use your judgement.
--
Viktor.
