On 11/14/2018 4:08 PM, Michael A. Peters wrote: > Honestly that violates the concept of KISS. > > Given that TLS 1.2 is now a decade old, do you really need to > still allow clients not capable of TLS 1.0/1.1 ??? > > I still do but only allow cipher suites with Forward Secrecy. > > I don't run huge mail server, but from quick look at my logs I > don't even see any clients connecting that aren't TLS 1.2 anymore. > > Might be easier to just give a six month notice that clients > running TLS more than a decade old will no longer be supported.
+1 Strongly agree with this. If you have enough users that you have use both hands to count them, running different protocols on different ports is a sure-fire way to annoy your users and create problems for support staff (eg. you). Either allow the antique protocol everywhere, or give notice and cut it off. -- Noel Jones
