The announcement from Microsoft:
https://techcommunity.microsoft.com/t5/exchange-team-blog/understanding-email-scenarios-if-tls-versions-cannot-be-agreed/ba-p/2065089
This shouldn't affect most Postfix users, but if you've accidentally
disabled TLS 1.2 and higher (either inbound or outbound), this is as
good a time as any to fix that.
A small handful of sites that publish DANE TLSA records are still running
SMTP servers that only support TLS 1.0. Microsoft are not the only ones
deprecating TLS 1.0/1.1 and especially if you have DANE TLSA records that
make TLS mandatory, you need to make sure that you support TLS 1.2 and
ideally also TLS 1.3.
Some of the TLS 1.0-only DANE systems look like Postfix. If any of these
are yours, please update your TLS settings or upgrade your TLS library:
[ The traces below are with the TLS level set to "may" ]
250-mail.hosted-service.com
Anonymous TLS connection established to 173.255.225.16[173.255.225.16]:25:
TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Anonymous TLS connection established to
2600:3c03:e000:27::25[2600:3c03:e000:27::25]:25: TLSv1 with cipher
ADH-AES256-SHA (256/256 bits)
250-smtp.semperen.com
Untrusted TLS connection established to
2600:1f16:940:9420:c0eb:3db8:9c94:df05[2600:1f16:940:9420:c0eb:3db8:9c94:df05]:25:
TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Untrusted TLS connection established to 3.13.72.96[3.13.72.96]:25: TLSv1 with
cipher ECDHE-RSA-AES256-SHA (256/256 bits)
250-mail.casopisek.cz
Anonymous TLS connection established to 89.185.242.197[89.185.242.197]:25:
TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
250-mail.czfruit.cz
Anonymous TLS connection established to 195.144.98.230[195.144.98.230]:25:
TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
250-castle.8p8c.net
Anonymous TLS connection established to 85.118.226.140[85.118.226.140]:25:
TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Anonymous TLS connection established to
2001:470:73a8:1::2[2001:470:73a8:1::2]:25: TLSv1 with cipher ADH-AES256-SHA
(256/256 bits)
250-smtp.aeon-hq.net
Untrusted TLS connection established to 82.64.124.134[82.64.124.134]:25: TLSv1
with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
250-heineken.unixpimps.net
250-sanmiguel.unixpimps.net
250-tuborg.unixpimps.net
Untrusted TLS connection established to 153.92.126.12[153.92.126.12]:25: TLSv1
with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Untrusted TLS connection established to
2001:41d0:a:5f83::161[2001:41d0:a:5f83::161]:25: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Untrusted TLS connection established to
2001:41d0:a:5f83::162[2001:41d0:a:5f83::162]:25: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Untrusted TLS connection established to
2a00:1a28:1157:178::2493[2a00:1a28:1157:178::2493]:25: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Untrusted TLS connection established to 5.196.33.161[5.196.33.161]:25: TLSv1
with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Untrusted TLS connection established to 5.196.33.162[5.196.33.162]:25: TLSv1
with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
--
Viktor.
