On 7. Mar 2020, at 04:27, Ihor Antonov <ihor@antonovs.family> wrote:
> 
> ´╗┐On 2020-03-07 02:30, Reio Remma wrote:
>>> On 07.03.2020 0:41, Ihor Antonov wrote:
>>> On 2020-03-06 23:05, Reio Remma wrote:
>>>> Hello!
>>>> 
>>>> I was forced to upgrade our mail server to CentOS 8 (thanks to hardware
>>>> failure on the old machine). I've successfully built an RPM of OpenSMTPD 
>>>> for
>>>> CentOS 8 and it's running nicely, however I've a problem with the global
>>>> crypto policies in CentOS 8.
>>>> 
>>>> Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone
>>>> got any experience on how to allow TLSv1 for OpenSMTPD without downgrading
>>>> the whole system from DEFAULT to LEGACY crypto policy?
>>> Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially
>>> sinice it is considered to be not safe)
>> 
>> Because my thinking is it's better than the plain text the clients fall back
>> to. Or is it not so?
> 
> Good question. Will other smtp servers fall back to plaintext if
> TLSv1.1+ is not available? TLS 1.2 is about 10 years old.. I would not
> force TLSv1.3 yet, but I also really dont want to communicate with
> systems that are so outdated that they dont support TLSv1.2. But that is
> a matter of personal choice probably.

I did have an overly optimistic experiment some time ago where IIRC I 
restricted smtpd to TLSv1.2. Unfortunately that resulted in several mails per 
day from banks, government agencies, etc. being lost. Unfortunately there are a 
lot of outdated set and forget servers out there (like our old qmail setup that 
had TLSv1 as max).

Reio

Reply via email to