On Thu, May 14, 2020 at 12:56:46PM -0400, Ian Evans wrote: > As some test suite recommendations might be harsher than what is practical > I thought I'd check with the people who actually work on Postfix.
The most important question is: are you talking about mandatory or opportunistic TLS. All the tests I've seen only make sense for mandatory TLS. Mandatory TLS is used for mail submission from your own clients. For connections by your own clients you can require whatever settings you desire, even TLS 1.3 only if they are recent enough, not that I would recommend this just yet. However connections from and to the rest of the SMTP world mostly uses opportunistic TLS, with the notable exception of DANE (or STS) authenticated connections. If the client can't use TLS, it will just fallback to plaintext connections. So requiring too strict settings will just force the mail to be delivered via a plaintext connection and you've lost the protection even TLS 1.0 can provide you with. > 1) some test sites say TLS 1.0 should be disabled for NIST compliance. Is > that recommended? What about 1.1? TLS 1.0 and 1.1 are not broken, so you should not disable them for opportunistic TLS. Regards, Bastian -- Beam me up, Scotty, there's no intelligent life down here!
