| You disable cleartext SMTP as well?
The rationale here is that by accepting provenly insecure protocols, one
provides an illusion of security, which is potentially more dangerous
than transparently refuse, and fall back to plaintext delivery to
preserve the functionality (which can create an incentive to upgrade
from probably obsolete and unsupported software).
Moreover, mandatory TLS on public SMTP servers is prohibited as of now
according to the RFC (you still MUST provide the option to fall back on
plaintext delivery in case of TLS handshake failure on a public SMTP
server), depreciation TLS older than 1.2 is recommended by RFC 8314 (and
you CAN and SHOULD disable them).
"As soon as practicable, MSPs currently supporting Secure Sockets Layer
(SSL) 2.x, SSL 3.0, or TLS 1.0 SHOULD transition their users to TLS 1.1
or later and discontinue support for those earlier versions of SSL and
TLS." - RFC 8314
--
Best Regards,
Daniel Ryšlink
System Administrator
Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.rysl...@dialtelecom.cz
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------
On 25-Oct-18 07:48, Bastian Blank wrote:
On Wed, Oct 24, 2018 at 04:44:19PM -0600, @lbutlr wrote:
On Oct 24, 2018, at 09:19, Benny Pedersen <m...@junc.eu> wrote:
do not disable tlsv1
I couldn’t disagree more. TLSv1.2 has been out for a decade and there is no
reason to be running v1 or v1.1. At all.
You disable cleartext SMTP as well?
Bastian
