On 6 Sep 2019, at 14:14, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: >>>> TLSv1.0 is EOLed and should not be used nor supported. > >> On 6 Sep 2019, at 01:57, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: >>> well, if your clients (some old server installations) only support tls1.0, >>> it's better to allow it than forgint it to go plaintext or reject the mail >>> at all. > >>> On 06.09.19 00:57, @lbutlr wrote: >> I don’t agree. It is thinking like this that leads to people still wanting >> to use RC4-SHA or HTTP AUTH. > > the alternative on server-server connection is no encryption at all.
Which is still going to be the case for a still significant percentage of connections. Used a deprecated end-of-life security shouldn’t be encouraged. >>> http://postfix.1071664.n5.nabble.com/Update-to-recommended-TLS-settings-td78583.html > > On 06.09.19 11:50, @lbutlr wrote: >> That is four years ago and largely covers maintaining support for the 16 >> year-old Exchange 2003. > > did tou intentionally skip the link that was an update to this one and only > one year old to blame me for the older one? Of course not, the second one was a followup to the first one, which again was largely about Exchange 2003, so I didn’t think it really added anything and it was also still before the EOL for TLSv1.0. >> The difference right now is that TLSv1.0 is end-of-life and has known flaws. >> It should no more be used than MD5 or RC2. >> >> However, I think here we were talking about TLS connections from sending >> servers; there TLSv1.0 is already basically unused. You are more likely to >> not get an opportunistic encryption at all that TLSv1. > > I'd be happy to see any statistics about this. Possibly in postfix list, if > you can… Your logs will be different than mine, I am sure. When last I checked for successfully submitted mails, unencrypted was more common that TLSv1.0, and that was … spring? > 51 version=TLSv1, > 8 version=TLSv1.1, > 539 version=TLSv1.2, > 92 version=TLSv1.3, Most of my TLSv1 were connections that were rejected for high degrees of spammishness. I do need to go through the logs again at some point and see how things are shaping up. It would be interesting to see what the server-to-server encryption looks like now for valid mail. I suspect that 1.1 has dropped to near 0 and 1.0 is more spam than it was, but that’s just a guess. -- 'We get that in here some nights, when someone's had a few. Cosmic speculation about whether the gods exist. Next thing, there's a bolt of lightning through the door with a note wrapped round it saying, "Yes, we do" and a pair of sandals with smoke coming out.' (Small Gods)