On August 24, 2017 8:05:20 AM EDT, Bernhard Schmidt <be...@debian.org> wrote: >Kurt Roeckx <k...@roeckx.be> wrote: > >> Disabling the protocols is the only way I know how to identify >> all the problems. And I would like to encourage everybody to >> contact the other side if things break and get them to upgrade. > >There is now #873065 on Postfix which suggests MTAs don't fall back to >plain SMTP if the SSL handshake fails due to disabling of TLSv1.0 and >TLSv1.1. I think this problem will be unsolvable before at least Google >and Microsoft do the same on their inbound servers, forcing everyone to >change configs.
The log in that bug shows something connecting to a Postfix smtpd, so someone else's inbound isn't relevant to that bug. I need to find more information on it, but that is most likely a case of the sender not falling back to plain SMTP and so likely not a Postfix issue. This does highlight problems with the current situation with openssl. I can't think of a case where no encryption is a better result than use of TLS. Scott K
