On Fri, Jan 13, 2017 at 02:54:08PM +0000, Dominic Raferd wrote:
> > Public MX servers can use mandatory encryption. It's not like you are going
> > to be fined for not accepting insecure connections...
>
> We don't send any payment data by email but we did have a separate POS
> machine at the same location and this had to pass PCI DSS. The online
> test for this POS machine flagged a 'fail' if we permitted TLS 1.0 on
> our (separate, but co-located) mail server.
The test is cargo-cult application of rules in an entirely
inappropriate context. The consequence of not allowing TLS 1.0
would be that a non-trivial fraction of the email would be delivered
in the clear instead. It is not yet time to retire TLS 1.0 in
inbound public MX hosts.
One can usually provide explanations for such audit failures, and
do the sensible thing, rather than the technically correct, but
stupid thing.
--
Viktor.
