On Sun, Dec 22, 2024 at 02:31:56PM +0000, Laura Smith via Postfix-users wrote:

> > Note that after the above you're allowing TLS 1.0 by default, where you
> > insisted on TLS 1.2 or higher before. Postfix parsing of the legacy
> > protocol negations has not changed. But you should be using the
> > preferred min/max forms.
> 
> I know you're saying nothing changed, but I'm telling you:
> 
>   openssl s_client -connect hostname:25 -starttls smtp
>
> Failed with the above error "before" and connects as expected "after"
> the changes outlined.

And, FWIW, I'm telling you that nothing has changed on the Postfix side.
So if you saw an effect, it was for some other reason.

> Thank you for highlighting the accidental allow of 1.0.   That was not
> expected.  The config lines actually came from the Postfix docs, so
> perhaps you'd like to update the docs with saner examples ?  :)

Allowing TLS 1.0 in SMTP is a reasonably sane, conservative choice,
though increasingly being *that* conservative is less often needed.
Yes, for many sites there is no longer any traffic they care about
that still uses TLS 1.0, but nothing bad happens if you allow it.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to