It’s not unusual, selling into central government (UK & NL at least), to
require TLS <1.2 to be disabled even on SMTP and, in my experience, this
does mean a small (I’d suggest very small) number of remotes that are
unable and "fallback" to clear.
I personally find it a bit of a moot point; if your adversary is MITM
and capturing your <1.2 traffic, then they can just as likely hijack the
EHLO response and hide TLS capability altogether.
Arguably, disabling <1.2 as it’s “insecure” is ironic when it’s
opportunistic in the first place but personally, I'd disable with an
appropriate response code.
On 21 May 2024, at 18:50, John Levine via mailop <mailop@mailop.org> wrote:
It appears that Benny Pedersen via mailop <m...@junc.eu> said:
Suresh Ramasubramanian via mailop skrev den 2024-05-21 15:18:
Yeah Benny – if you’re running 16 year old code and certificates
that you’re still on TLS v1 or 1.1, it is time to upgrade, asap.
What you have is not much better or worse than sending it en clair
anyway.
tls is self adaptive, so no need to do more then have latest version of
openssl installed
Ah, so you're saying that anyone running TLS mail software will have
TLS/1.2 and 1.3, so there is no reason to allow or use 1.0 and 1.1 which
have been obsolete for a decade and a half.
Good point.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
