Dňa 25. mája 2025 11:54:29 UTC používateľ Mike Cardwell via Exim-users <[email protected]> napísal:
>I don't know what the generally accepted config is for SMTP TLS these >days, but bare in mind that a connecting MTA may decide to fall back to >plain text if it can't agree a protocol/cipher with you. I'd rather >have mail sent over TLS 1 than over plain text. Might be worth checking >your logs first to see what protocols are in use. You might need to >turn on some tls logging options first though. It is hard, what is better, use weak TLS or plain text? From my point of view, first: it is not my problem, it is their decision (to use weak TLS). Second, weak TLS is IMO worse than plain text, as it provides false feel of protection and i personaly prefer to avoid false feels... See details in BCP 195 (RFC 8996) from 2021. I disabled TLS1/1.1 some years ago. From that time i seen only one problematic MTA (it was my friend's MTA and it is already upgraded). Other failing handshakes are all from "security" scanners and random (expoited?) hosts, no worth to bother. All real MTAs (connecting to me) are TLS1.2+ capable. In last 90 days only ~5 % of incomming conns used TLS1.2, thus 95 % used TLS1.3. I don't count plain text conns, as i have to exclude SPAMs, which will require more effort. In the same time, here was 3 unique hosts failing for unsupported TLS version, without repeats, thus some random SPAM. Yes, my MTA is not representative, too few users/domains for that, but these numbers shows trends -- word is going away from deprecated TLS. regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
