On 24 Oct 2018, at 18:44, @lbutlr wrote:
On Oct 24, 2018, at 09:19, Benny Pedersen <m...@junc.eu> wrote:
do not disable tlsv1
I couldn’t disagree more. TLSv1.2 has been out for a decade and
there is no reason to be running v1 or v1.1. At all.
Well, you can say that, but...
# grep 'TLS connection established from' mail.log |sed 's/^.*: \(TLSv[^
]*\).*/\1/' |sort |uniq -c
1285 TLSv1
2 TLSv1.1
4997 TLSv1.2
So, for this atypical mail system, about 1 in 4 TLS connections can't do
v1.2. That includes machines at such sketchy places as Cloud9 (handler
of this mailing list,) BlackBaud ( many non-profits,) FictionPress
(a.k.a. FanFiction.net,) SpamCop, and AOL.
I expect that all of those will fall back to cleartext if I demand v1.2,
so mail will still work. I doubt that anyone finds the mail flow of that
server to be worth sniffing.
YMMV
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
