On Mon, Mar 04, 2024 at 05:30:54PM +0100, Cyril - ImprovMX via mailop wrote: > On our send, we decided to use the ciphers suggested by Mozilla on their > SSL Configuration Generator (https://ssl-config.mozilla.org/) (level > "Intermediate") but I'm aware it's more for the HTTPS connections that > ESMTP / TLS.
Exactly. SMTP is not HTTPS. Too restrictive a setting either results in interoperability problems or plain text transmission. Leaving TLS1.0 enabled is fine with SMTP. If you support TLS1.2 and the client supports TLS1.2, there is no known downgrade attack to TLS1.0. [...] > And we only accept TLS at v1.2 and higher. It is 2024 but this is still, unfortuntely, not advisable. In SMTP, increased security is achieved via raising the ceiling. Raising the floor is counter productive. It is opportunistic encryption and multi-hop. Different design choices different implications. -- Eray _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
