On Fri, Mar 06, 2020 at 05:51:19AM -0800, Doug Hardie wrote:
> > An interesting question in your case is what fraction of the TLSv1
> > connections are non-spam. Perhaps you're able to correlate the TLSv1
> > connections with legitimate vs. junk email.
>
> Results for 3 weeks of log files:
>
>
> On 5 March 2020, at 17:15, Viktor Dukhovni wrote:
>
> On Thu, Mar 05, 2020 at 03:57:59PM -0800, Doug Hardie wrote:
>
>> Small mail server with 3 weeks of logs:
>>
>> 1761 TLSv1
>> 18 TLSv1.1
>> 20414 TLSv1.2
>> 6343 TLSv1.3
>>
>> That's not what I expected. I thought v1 and v1.1
On 06.03.20 00:11, Daniel Ryšlink wrote:
I tried disabling TLSv1.0 and TLSv1.1 on our Postfix mailservers at
the beginning of the year (since there were advisories that anything
older than 1.2 is considered weak and broken), and it did not end
well, there were numerous complaints from what
illingist I
have 25 TLSv1-connections, 23 from and 2 to connections, all with this
mailinglist.
> > > If not, then perhaps disabling TLSv1 will be harmless, but if you do,
> > > perhaps prod the senders to upgrade first, before you prevent them
> > > from establishing TL
> On 5 March 2020, at 17:15, Viktor Dukhovni wrote:
>
> On Thu, Mar 05, 2020 at 03:57:59PM -0800, Doug Hardie wrote:
>
>> Small mail server with 3 weeks of logs:
>>
>> 1761 TLSv1
>> 18 TLSv1.1
>> 20414 TLSv1.2
>> 6343 TLSv1.3
>>
>> That's not what I expected. I thought v1 and v1.1
On Fri, Mar 06, 2020 at 02:16:42AM +, Allen Coates wrote:
> Virtually all my TLSv1 connections come from this mailing list...
>
> Would there be any mileage in disabling OUTBOUND TLSv1 connections while
> accepting inbound for a little while longer?
You can certainly configure each
Virtually all my TLSv1 connections come from this mailing list...
Would there be any mileage in disabling OUTBOUND TLSv1 connections while
accepting inbound for a little while longer?
Allen C
On 05/03/2020 20:08, ratatouille wrote:
> Hello!
>
> Don't know why TLSv1 is still offered on our
On Thu, Mar 05, 2020 at 03:57:59PM -0800, Doug Hardie wrote:
> Small mail server with 3 weeks of logs:
>
>1761 TLSv1
> 18 TLSv1.1
> 20414 TLSv1.2
>6343 TLSv1.3
>
> That's not what I expected. I thought v1 and v1.1 would be reversed.
> There is a complete spectrum of ciphers
> On 5 March 2020, at 15:26, ratatouille wrote:
>
> Viktor Dukhovni schrieb am 05.03.20 um 16:44:14
> Uhr:
>
>> On Thu, Mar 05, 2020 at 09:08:43PM +0100, ratatouille wrote:
>>
>>> Don't know why TLSv1 is still offered on our servers running
>>
>> Probably because you're not changing the
RSA-DES-CBC3-SHA (112/168 bits)
> 2 TLSv1.2 with cipher DES-CBC3-SHA (112/168 bits)
> 1 TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
> 1 TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
That's two out of not very many total, are these actual message
deliveries, or just pro
r CAMELLIA256-SHA (256/256 bits)
7 TLSv1.1 with cipher CAMELLIA128-SHA (128/128 bits)
4 TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA (112/168 bits)
2 TLSv1.2 with cipher DES-CBC3-SHA (112/168 bits)
1 TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 TLSv1 with cipher ECDHE-RSA-AES128-SH
Hello,
I tried disabling TLSv1.0 and TLSv1.1 on our Postfix mailservers at the
beginning of the year (since there were advisories that anything older
than 1.2 is considered weak and broken), and it did not end well, there
were numerous complaints from what turned out to be still supported LTS
25: TLSv1 with cipher ECDHE-RSA-AES256-SHA
(256/256 bits)
Other than test TLS connections, do you still legitimate inbound email
in your logs (looking over a week or more of logs) delivered with TLSv1?
If not, then perhaps disabling TLSv1 will be harmless, but if you do,
perhaps prod the senders t
Hello!
Don't know why TLSv1 is still offered on our servers running
mail_version = 2.11.3
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
but a scan by ssllabs.com or with testssl.sh shows TLSv1 is still supported.
I am not sure what's wrong. What do I miss?
Other parameters I set:
14 matches
Mail list logo
