Re: Scoring TLS.

Fri, 06 Sep 2019 13:15:15 -0700 

TLSv1.0 is EOLed and should not be used nor supported.



On 6 Sep 2019, at 01:57, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:

well, if your clients (some old server installations) only support tls1.0, it's 
better to allow it than forgint it to go plaintext or reject the mail at all.



On 06.09.19 00:57, @lbutlr wrote:

I don’t agree. It is thinking like this that leads to people still wanting to 
use RC4-SHA or HTTP AUTH.


the alternative on server-server connection is no encryption at all.


http://postfix.1071664.n5.nabble.com/Update-to-recommended-TLS-settings-td78583.html


On 06.09.19 11:50, @lbutlr wrote:

That is four years ago and largely covers maintaining support for the 16 
year-old Exchange 2003.


did tou intentionally skip the link that was an update to this one and only
one year old to blame me for the older one?


The difference right now is that TLSv1.0 is end-of-life and has known
flaws.  It should no more be used than MD5 or RC2.

However, I think here we were talking about TLS connections from sending
servers; there TLSv1.0 is already basically unused.  You are more likely
to not get an opportunistic encryption at all that TLSv1.


I'd be happy to see any statistics about this. Possibly in postfix list, if
you can...

mine logs for seven weeks (since I upgraded to debian 10) say:

for the server side:

    51 version=TLSv1,
     8 version=TLSv1.1,
   539 version=TLSv1.2,
    92 version=TLSv1.3,

these are unique IP/version counts

for the client side:

     1 version=TLSv1,
     1 version=TLSv1.1,
    24 version=TLSv1.2,
     5 version=TLSv1.3,

and there are unique server name/version counts

...(sorry) I don't exchange mail with too many sites on this server

maybe I could do more statistics at work. 


seems that betwen the tlsv1 sites is postfix-users mailing list ;-)


On 6 Sep 2019, at 00:51, Reio Remma <r...@mrstuudio.ee> wrote:

I recently did an experiment where I stopped accepting incoming e-mail
without TLS.  This seemingly cut off about 95-99% of spam.  Unfortunately
there still seem to be a small percentage of servers sending without TLS,
so that was a no go.



I took that to mean the OP was not talking about submission from clients,
but incoming mail from other servers.


so did I. I don't allow submission clients to use weak encryption, unless
they really need to allow that.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.






















					Reply via email to