On 2021-07-02 at 10:04:29 UTC-0400 (Fri, 2 Jul 2021 16:04:29 +0200) Marek Kozlowski <m.kozlow...@mini.pw.edu.pl> is rumored to have said:
But on the other hand it's hard to believe than some servers with a good reputation (according to https://talosintelligence.com) of reputable American universities still don't support TLS 1.2 nor 1.3... Do you suggest... they haven't upgraded their mail servers for over a decade? So I'm a bit confused.
While few systems survive without any patching for a decade, it's quite common for a mail server's underlying OS and its TLS library to have not had a major version update since before the platform supported TLSv1.2. RHEL 6 and its derivatives are still in wide use, as are FreeBSD versions prior to v10 that still have OpenSSL 0.9.8* in the base install and old Windows versions without recent TLS support. Whether it's inattention, a devotion to stability, or lack of support capacity, many places just don't do updates that aren't largely automated. I confess to still having one stubborn old FreeBSD 8 machine in production, due to customers who have not invested in maintaining custom software. It doesn't send mail to the world using the base OpenSSL, but I can understand how people can keep old systems in use long past their proper expiration dates.
It is also important to understand that what you see as a 'mail server' offering you mail from a large organization may very well be strictly a SMTP client as far as the outside world is concerned, e.g. an old Exchange 2003 mail hub behind a firewall whose only access to the outside world is to send mail on port 25. With the risks of using TLSv1.0 for a SMTP client being negligible to non-existent, updating a commercial package with a significant cost may never happen.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
