On Fri, Jun 07, 2024 at 11:31:04AM +0200, Daniel Hiepler via Postfix-users
wrote:
> TLSv1.0 and TLSv1.1 were deprecated long ago (e.g. RFC 8996) and some
> legislation suggest or even requires to disable them. Doesn't that
> ">=TLSv1" statement mean "TLS1.0 or higher?".
Yes, it allows TLS 1.0 and up, which pose no known risk in the context
of SMTP, they do slightly improve interoperability, though their utility
is dropping rapidly. You can typically get by with TLS 1.2 and up these
days, unless some specific sender you care about fails to measure up.
> I'm pretty sure that the "tlsv1 alert insufficient security" error is
> caused by a connection from major mailprovider not my server (I just
> x'ed the IP and domain name to be sure).
Their server is set to require more of some aspect of TLS cryptography
than you server is offering, what exactly is hard to say. Perhaps
more RSA key bits, or more DH bits, or ...
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
