On 2024-03-13 at 07:28:18 UTC-0400 (Wed, 13 Mar 2024 11:28:18 +0000 (UTC)) L. Mark Stone via mailop <mark.st...@missioncriticalemail.com> is rumored to have said:
> FWIW, our view is that poor encryption can be worse than no encryption, as it > can give the participants a false sense of security. This seems like a good > move to us. > > We have configured Postfix in our Zimbra MTA servers to do only TLS 1.2/1.3, > and fall back to unencrypted if a TLS connection can't be negotiated (per RFC > 2487). Every time I see this argument, I am struck by an important question: What is "poor" or "weak" about TLSv1.0 and TLSv1.1 which is relevant in the context of SMTP, other than their easily-disabled support for weak ciphers? I've never found a coherent answer. Without one, disabling them is a cargo-cult praxis that is worse than any false sense of security provided to oblivious peers who can't do TLSv1.2 or better. It is a disservice to end recipients for a pair of MTAs to fall back to plaintext when both ends could in principle negotiate a rock-solid ciphersuite with TLSv1.0 or TLSv1.1. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
