1st, this is -- for me -- a postix/mail-RELATED security question. But if it's too general, I'm happy to take it elsewhere; suggestions as to the appropriate forum, if not here, are welcome.
A 'major financial institution', call 'em "FinCo", sends email to users on my server that arrives with 'invalid' dkim sig, dkim=invalid (unsupported algorithm rsa-sha1, 1024-bit rsa key sha1) Fri Oct 12 16:18:05 2018 authentication_milter_mx[7045] header.d=FINCO.com header.i=@FINCO.com header.b=xxxxxx Fri Oct 12 16:18:05 2018 authentication_milter_mx[7045] header.a=rsa-sha1 header.s=mail-dkim; and negotiates TLSv1 postfix/postscreen-internal/smtpd[52027]: Anonymous TLS connection established from mta11.FINCO.com[xx.xx.xx.xx]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) I know that, generally, uses of TLSv1 & sha1 are, at least, fish-slap-worthy -- if not downright fully deprecated. What I don't know is if, in current practice, either is a concern -- from viewpoint of general security, standards compliance, etc -- for *MAIL* security. Namely, DKIM sig and TLS negotation. What *IS* the current recommendation on these? IS it time, yet, to block TLSv1 negotation &/or sha1-signed DKIM sigs in mail flow? Applying blanket blocks for either, in Postfix setup, is trivial enough. Just a question for me of wheter it's "safe", or "sensical", to do it.