On Sep 11, 2013, at 17:24, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
>> May do the same for outgoing connections. > > This is more reasonable, provided systems you send mail to all > support TLSv1 and up. What fraction of outbound handshakes end up > with SSLv3? Outbound is an even smaller percentage of total TLS connections established in August; 0,0002%. Interestingly, they are both banks; one Dutch, and one Swiss. Both using SSLv3 with AES256-SHA, wouldn't be surprised if that means they are using the same brand of security product. The odd thing is that both banks drop to RC4-MD5 when sending to us. I've seen this on another product that we support ourselves as well; the Postfix client negotiates a higher protocol level and better cipher for outgoing mail than the server does for incoming mail. There is probably a good reason for this, but it feels to me like they should support the same protocol and cipher level regardless of direction? Re-enabled SSLv3 for incoming connections again, by the way; turns out that about half of those incoming connections are from an outsourcing firm that handles payment notifications for, yes, another Dutch bank. Sigh ;-) Mvg, Joni
