On 7. Mar 2020, at 04:27, Ihor Antonov <[email protected]> wrote: > > On 2020-03-07 02:30, Reio Remma wrote: >>> On 07.03.2020 0:41, Ihor Antonov wrote: >>> On 2020-03-06 23:05, Reio Remma wrote: >>>> Hello! >>>> >>>> I was forced to upgrade our mail server to CentOS 8 (thanks to hardware >>>> failure on the old machine). I've successfully built an RPM of OpenSMTPD >>>> for >>>> CentOS 8 and it's running nicely, however I've a problem with the global >>>> crypto policies in CentOS 8. >>>> >>>> Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone >>>> got any experience on how to allow TLSv1 for OpenSMTPD without downgrading >>>> the whole system from DEFAULT to LEGACY crypto policy? >>> Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially >>> sinice it is considered to be not safe) >> >> Because my thinking is it's better than the plain text the clients fall back >> to. Or is it not so? > > Good question. Will other smtp servers fall back to plaintext if > TLSv1.1+ is not available? TLS 1.2 is about 10 years old.. I would not > force TLSv1.3 yet, but I also really dont want to communicate with > systems that are so outdated that they dont support TLSv1.2. But that is > a matter of personal choice probably.
I did have an overly optimistic experiment some time ago where IIRC I restricted smtpd to TLSv1.2. Unfortunately that resulted in several mails per day from banks, government agencies, etc. being lost. Unfortunately there are a lot of outdated set and forget servers out there (like our old qmail setup that had TLSv1 as max). Reio
