Scott Kitterman <deb...@kitterman.com> wrote: > > > On August 24, 2017 8:05:20 AM EDT, Bernhard Schmidt <be...@debian.org> wrote: >>Kurt Roeckx <k...@roeckx.be> wrote: >> >>> Disabling the protocols is the only way I know how to identify >>> all the problems. And I would like to encourage everybody to >>> contact the other side if things break and get them to upgrade. >> >>There is now #873065 on Postfix which suggests MTAs don't fall back to >>plain SMTP if the SSL handshake fails due to disabling of TLSv1.0 and >>TLSv1.1. I think this problem will be unsolvable before at least Google >>and Microsoft do the same on their inbound servers, forcing everyone to >>change configs. > The log in that bug shows something connecting to a Postfix smtpd, so > someone else's inbound isn't relevant to that bug.
Yes and no. The point was, even if all Debian based MTAs disabled TLSv1.0/TLSv1.1 leading to delivery issues a very large portion of senders won't fix their servers. They simply won't give a damn. Unless Google and Microsoft do the same, in which case they suddenly cannot reach >50% of their targets anymore and are forced ot fix their side. The suggested procedure for Buster (disable TLSv1.0/TLSv1.1, then contact everyone who breaks due to this) is not viable for email. This will prevent public servers from testing Buster for the whole time. > I need to find more information on it, but that is most likely a case > of the sender not falling back to plain SMTP and so likely not a > Postfix issue. Indeed. Bernhard
