On Mon, Jan 10, 2022 at 07:15:46PM -0500, Alex wrote:
> > The vulnerabilities I am aware of that justify sticking to v1.2/3 in
> > web, IMAP, and database servers are not viable against SMTP because of
> > the brief, non-repetitive, and largely unpredictable nature of the TLS
> > sessions used by SMTP.
>
> Would you explain what specifically about the above that's removed any
> ability for clients to build an encrypted connection and require
> cleartext?
A small fraction of SMTP clients support only TLS 1.0 and not TLS 1.2, I
am not aware of any downgrade attack (on authenticated connections) from
TLS 1.2 to TLS 1.0 that would convince an SMTP client that supports TLS
1.2 to use TLS 1.0 instead. So offering TLS 1.0 has no downside. At
some point the upside becomes negligible, and one disables TLS 1.0 as a
matter of hygiene. We're close to that, but there's no rush to get
there.
--
Viktor.
