On 09/02/2021 10:58, @lbutlr wrote:
On 09 Feb 2021, at 03:53, @lbutlr <krem...@kreme.com> wrote:
Looking over the last few days, I see connections rom servers I do not accept
mail from, so it looks to me based on my logs that I could easily reject TLSv1
or TLSv1.1 without missing a single mail.
Meant to include this in case this helps:
bzgrep TLSv1 /var/log/mail.log.* | egrep -v '(TLSv1.3|TLSv1.2)' | egrep -o
'established from [^:]*' | sort -u
My logs are unzipped or gzipped, so I needed:
zgrep -ha TLSv1 /var/log/mail.log*|egrep -v 'TLSv1\.[23]'|egrep -o
'established from [^:]*'|cut -d" " -f3|sort|uniq -c|sort -n
This shows plenty of 'good' servers still using TLSv1 or TLSv1.1 -
including the postfix-users list servers. Of course they would probably
downgrade to plaintext if required, but that would reduce security.
