On Fri, May 22, 2015 at 12:26:41PM -0600, @lbutlr wrote:
> On 22 May 2015, at 07:42, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> > # Avoid obsolete protocol versions
> > #
> > smtpd_tls_protocols = !SSLv2, !SSLv3
> > smtp_tls_protocols = !SSLv2, !SSLv3
>
> Quick question.
>
> On 8 Feb 2015, you said:
> > Depending on who your users correspond with, you may not lose much by
> > disabling SSLv3, but you'll not gain anything by doing so. However, while
> > turning of SSLv3 (if you so choose) do not disable TLSv1.1 and TLSv1.2.
> >
> > Recommended:
> >
> > smtpd_tls_protocols = !SSLv2
> >
> > Mostly harmless:
> >
> > smtpd_tls_protocols = !SSLv2, !SSLv3
>
> Has your thinking on this changed with regards to !SSLv3 on smtpd since
> February?
Not really, this is a judgement call, the OP wanted more security,
in generall one may want to optimize for interoperability. However
the world is moving on, and there's little use of SSLv3 left. So
in practice this makes little difference.
--
Viktor.
