Hi Seth, Alberto, My Point was enabling this by default would likely distrupt mailflow inbound, and that if you were to enforce it by default, you would deny any one with an older system from sending you a mail inbound...
if you have an option or knob to enforce stronger TLS in the openSMTPD configuration file you also need to have a clear warning to users (perhaps when OpenSMTPD starts and sees that option set ) that it is likely people with older mail servers / mail clients will not be able to send you email... ( or in the Man page at the very least...) It is one of those options I would love to set in a perfect world... but it is one of those options that would shoot availability of my mail service in the foot ( to a large number of users who may have no control over the TLS their upstream Mailserver supports) unfortunately to move off TLS 1.0 it will take a huge problem like that detected in ssl 3.0 before industry / vendors issue patches in a short period of time to move people off that protocol, and basically we will have to wait for that event before enforcing TLS1.0 by default. until then ... enforcing TLS 1.0 is putting security of a service above the availability of a service... they are both sides of the same coin... I think it doesnt make sence to to Prioritise one over the other. I hope this helps. On Sat, Jan 9, 2016 at 2:49 PM, Alberto Mijares <[email protected]> wrote: > > I think the approach reyk took with httpd, supporting only TLSv1.2 by > > default is the correct one. If people insist on shooting a hole in their > > security foot to support obsolete clients and organizations with crap > > security like Discover.com and Paypal.com, so be it, give them a knob to > do > > so, but don't let them do it unknowingly. > > > > [1] https://www.mail-archive.com/misc%40opensmtpd.org/msg02326.html > > > > > I second that motion. Just for the record. > > Regards, > > > Alberto Mijares > > -- > You received this mail because you are subscribed to [email protected] > To unsubscribe, send a mail to: [email protected] > > -- Kindest regards, Tom Smyth Mobile: +353 87 6193172 --------------------------------- PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL This email contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify me by telephone or by electronic mail immediately. Any opinions expressed are those of the author, not the company's .This email does not constitute either offer or acceptance of any contractually binding agreement. Such offer or acceptance must be communicated in writing. You are requested to carry out your own virus check before opening any attachment. Thomas Smyth accepts no liability for any loss or damage which may be caused by malicious software or attachments.
