On 5/24/2015 5:38 AM, Postfix User wrote: > On Sat, 23 May 2015 12:13:33 -0500, Noel Jones stated: > >> # Avoid obsolete protocol versions >> # >> smtpd_tls_protocols = !SSLv2, !SSLv3 >> smtp_tls_protocols = !SSLv2, !SSLv3 > > Wouldn't the following be more secure: > > smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1 > smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1 > > I thought I saw that listed on this forum earlier this year. >
Far too many mail servers don't support TLSv1.2 yet. A significant number of sites would be unable to send you mail since not every MTA supports plaintext fallback. Even disabling SSLv3 carries some risk. Regardless, TLSv1 is still good enough for opportunistic encryption between anonymous parties. Use a tls policy map to require better encryption when sending to trusted sites. -- Noel Jones
