On 2020-03-07 02:30, Reio Remma wrote:
> On 07.03.2020 0:41, Ihor Antonov wrote:
> > On 2020-03-06 23:05, Reio Remma wrote:
> > > Hello!
> > > 
> > > I was forced to upgrade our mail server to CentOS 8 (thanks to hardware
> > > failure on the old machine). I've successfully built an RPM of OpenSMTPD 
> > > for
> > > CentOS 8 and it's running nicely, however I've a problem with the global
> > > crypto policies in CentOS 8.
> > > 
> > > Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone
> > > got any experience on how to allow TLSv1 for OpenSMTPD without downgrading
> > > the whole system from DEFAULT to LEGACY crypto policy?
> > Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially
> > sinice it is considered to be not safe)
> 
> Because my thinking is it's better than the plain text the clients fall back
> to. Or is it not so?

Good question. Will other smtp servers fall back to plaintext if
TLSv1.1+ is not available? TLS 1.2 is about 10 years old.. I would not
force TLSv1.3 yet, but I also really dont want to communicate with
systems that are so outdated that they dont support TLSv1.2. But that is
a matter of personal choice probably.



Reply via email to