On 06.03.20 00:11, Daniel Ryšlink wrote:
I tried disabling TLSv1.0 and TLSv1.1 on our Postfix mailservers at the beginning of the year (since there were advisories that anything older than 1.2 is considered weak and broken), and it did not end well, there were numerous complaints from what turned out to be still supported LTS version of Windows 8 that is supported till 2023 whose Outlooks still uses the obsolete versions of TLS and their handshakes will fail.
note that there's difference between disabling tls1.0 and tls1.1 on ports with mandatory encryption (smtps/465 and submission/587) and different on port 25 where mail servers will connect to. enabling older TLS versions might be better for old servers as low encryption may be better than no encryption on port 25, where fallback when TLS can't be established is common - you do want to receive mail from the internet, don't you? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse
