FWIW, our view is that poor encryption can be worse than no encryption, as it can give the participants a false sense of security. This seems like a good move to us.
We have configured Postfix in our Zimbra MTA servers to do only TLS 1.2/1.3, and fall back to unencrypted if a TLS connection can't be negotiated (per RFC 2487). Probably most on this list know this already, but you can use nmap to see what TLS levels and cipher suites are supported: nmap --script ssl-enum-ciphers -p 25 <ip or fqdn of the target SMTP server> Regards, Mark _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs ----- Original Message ----- From: "Matus UHLAR - fantomas via mailop" <mailop@mailop.org> To: "mailop" <mailop@mailop.org> Sent: Wednesday, March 13, 2024 7:04:22 AM Subject: Re: [mailop] Ubuntu Noble/24.04 - TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled On 12.03.24 23:09, Andrew C Aitchison via mailop wrote: >https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#tls-10-11-and-dtls-10-are-forcefully-disabled-13 >(which is mostly a template) suggests that TLS 1.0, 1.1 and DTLS 1.0 >are "forcefully disabled" in the upcoming Ubuntu release >(due next month at a guess). >Apparently this is not new for openssl, but it is for gnutls. > >Given that the advice for SMTP is often to allow tls 1.0 and 1.1, >rather than have it revert to unencrypted, this will is something to >watch out for. Any info how exactly is this implemented? E.g. on Debian since v10/buster, they were disabled via openssl.cnf: [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2 but it was possible to enable them. Iirc sendmail honored these settings, postfix hasn't. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
