Moin, am 03.08.22 um 13:34 schrieb Sidsel Jensen via mailop:
We were having a discussion on the possibility to disable TLS 1.0 and 1.1 for MTA to MTA communication, and based on the numbers we've seen so far, it doesn't look that far fetched. […] but have you also disabled it for MTA to MTA communication as well or are you still considering it? And what scenarios are currently holding you back?
STARTTLS implementations out there tend to assume that TLS negotiation after STARTTLS just works™. If it doesn't – because someone artificially limited the interoperability –, the connection times out and the mails will bounce days later. Fix: "try_tls:mx.mailop.org NO", if the bounces annoy me enough. To me it's a rather illogical approach to force unencrypted transmission instead of at least allowing what basically nowadays is of ROT13 quality. But, well, your server, your rules.
And what about PLAIN - do you still allow that as the fallback option or are you also considering disabling that?
rfc3207 seems rather clear on this?
A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally. This rule prevents the STARTTLS extension from damaging the interoperability of the Internet's SMTP infrastructure. A publicly-referenced SMTP server is an SMTP server which runs on port 25 of an Internet host listed in the MX record (or A record if an MX record is not present) for the domain name on the right hand side of an Internet mail address.
Regards, -kai
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
