Dňa 5. 3. o 0:15 Christer Mjellem Strand via mailop napísal(a):
That said, we still decided to deviate from them *only* for SMTP (and
not for i.e. Submission). The reason for this decision comes down to the
number of poorly configured servers out there, and the fact that TLS in
SMTP is still opportunistic. While requiring sane crypto at Mozilla's
level will no doubt weed out a fair bit of spammers, unfortunately it is
(still) likely to also weed out stuff it shouldn't. And since you won't
know before the other side initiates STARTTLS whether you'll be able to
agree on a common handshake, and poor crypto is still better than no
crypto at all (which SMTP generally will happily allow), this ended up
being the compromise.
It can be not as bad as it can seems. I have allowed only TLS1.2+ and
ciphersuites limited to AEADs, with limited groups and sigalgs, and from
my MX (MSA is much worse) for long time i have logged in the whole february:
+ 9x Error in the pull function (i guess connect scans or so)
+ 5x A TLS fatal alert has been received: User canceled
+ 2x A packet with illegal or unsupported version was received
+ 2x No supported cipher suites have been found
Yes, my MTA is not representative, but anyway it is less than 0,1 % of
total connections (but not all bads reach STARTTLS stage). I didn't
inspect these IPs in details in that month, but i did detailed
inspection before and after i disabled TLS1.1 and TLS1.0 for long time,
an all these attempts was from (at least) suspicious IPs.
The main problem here is, that there are multiple hosts requesting only
RSA ciphersuites, thus i have to maintain dualstack certs (RSA/ECDSA)...
regards
--
Slavko
https://www.slavino.sk/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
