[exim] Re: How to disable tls 1 and tls 1.1

Sun, 01 Jun 2025 12:50:55 -0700 

Am 29.05.25 um 12:04 schrieb Kai Bojens via Exim-users:

On Sonntag, 25. Mai 2025 13:54:29 Mitteleuropäische Sommerzeit Mike Cardwell
via Exim-users wrote:


I don't know what the generally accepted config is for SMTP TLS these
days, but bare in mind that a connecting MTA may decide to fall back to
plain text if it can't agree a protocol/cipher with you. I'd rather
have mail sent over TLS 1 than over plain text.

In theory that's right. And then your customer tells you that he has this
shiny "cyber insurance" and their insurance company sends a port scan and
complains about those old TLS versions …
.. and you can simply rejecting plain text delivery, which is nowadays the same, as using tls 1.0/1.1. 

If it helps making a decision:
For the EU, as a company or organization of any form, you have to enforce tls 1.2+ (§32 gdpr -> state of the art and has no costs), because it's impossible to know before hand, if someone is sending you personal data or not and the law says, that the transport of personal data has to be protected. This makes unencrypted traffic only possible for technical data. But, it's more effort to exclude some servers/mail addresses from the tls enforcement, than actually enabling tls at the sender.
Because you can't be clairvoyant who sends it, tls is enforced for any none-eu sender as well by eu companies if they are lawful and not willing to maintain two servers in- and outside of the eu. If none-eu people like it or not, the eu raised the bar in mail transport security to a meaning full level for anyone and the rest of the world would be well advised to follow the lead.
A quick scan on our cluster shows only spam as source for unencrpyted mails. There is simply no sense in accepting unencrypted mails anymore. 

best regrads,
Cyborg

Attachment: OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to