I found that when clients are using common software like Windows 7 and
Windows Live Mail, Outlook 2013, or recent versions of Thunderbird you
are still likely to see TLS 1.0 connections. If your mail server only
serves an organization where you control the client software you could
probably move to TLS1.2 (and above) on your submission service with
little effort. If you provide mail as an ISP and don't control client
software/versions and want to be generous in what you accept, you might
have to leave TLS 1.0 enabled a while longer on the submission service.
On port 25 server to server connections, I agree with the sentiments of
others on this thread and think disabling TLS1.0/1.1 is a bit premature
at this time for most organizations.
--Blake
Bryan K. Walton wrote on 11/6/2019 8:54 AM:
Apple, Google, Microsoft, and Mozilla have all announced that they will
be deprecating TLS 1.0 and 1.1 in March 2020, in their web browsers.
Similarly, SSL Labs has announced that they will be downgrading web
server scores to a maximum of B, starting in January 2020, if that
webserver supports TLS 1.0/1.1.
Now, I know that what is good for web servers/browsers, isn't
necessarily the same for SMTP servers. For example, I've learned from
this mailing list that public facing MTAs should not require
super-strong ciphers because that may force another MTA to use
unencrypted communication:
http://postfix.1071664.n5.nabble.com/template/NamlServlet.jtp?macro=print_post&node=88919
http://postfix.1071664.n5.nabble.com/template/NamlServlet.jtp?macro=print_post&node=80355
How does the recommendation that we not REQUIRE super-strong ciphers
relate to the issue of TLS protocols? Should we continue to allow TLS
1.0/1.1 for the same reason that we should allow weak ciphers?
Thanks!
Bryan
