On 2020-03-07 02:30, Reio Remma wrote: > On 07.03.2020 0:41, Ihor Antonov wrote: > > On 2020-03-06 23:05, Reio Remma wrote: > > > Hello! > > > > > > I was forced to upgrade our mail server to CentOS 8 (thanks to hardware > > > failure on the old machine). I've successfully built an RPM of OpenSMTPD > > > for > > > CentOS 8 and it's running nicely, however I've a problem with the global > > > crypto policies in CentOS 8. > > > > > > Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone > > > got any experience on how to allow TLSv1 for OpenSMTPD without downgrading > > > the whole system from DEFAULT to LEGACY crypto policy? > > Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially > > sinice it is considered to be not safe) > > Because my thinking is it's better than the plain text the clients fall back > to. Or is it not so?
Good question. Will other smtp servers fall back to plaintext if TLSv1.1+ is not available? TLS 1.2 is about 10 years old.. I would not force TLSv1.3 yet, but I also really dont want to communicate with systems that are so outdated that they dont support TLSv1.2. But that is a matter of personal choice probably.