> On May 22, 2018, at 7:47 AM, Al Iverson <aiver...@wombatmail.com> wrote: > > Are folks disabling TLS1.0 support in SMTP? Our security team has > asked, but I'm a bit concerned about potential failure cases when > trying to deliver mail to smaller corporate sites that might be doing > stuff like requiring TLS but supporting 1.0 only....is that really > much of a concern?
If you're connecting to an MX that only supports TLS 1.0 and you've configured your smarthost to not support TLS 1.0 for opportunistic encryption then it's going to fall back to not using any sort of encryption and sending as plaintext. TLS 1.0 has it's flaws, but it's better than entirely unencrypted. (If the flaws in TLS 1.0 were really an issue for your use case then you'd drop the connection and bounce the mail if the remote host didn't support TLS 1.1. Probably not a useful approach for email.) Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
