On Fri, Jul 02, 2021 at 03:14:58PM +0200, Marek Kozlowski wrote:It looks like '!TLSv1' is seen as something like "!TLSv1.x" ("no TLS 1.x at all") rather than "!TLSv1.0". Yes it is a stupid supposition but I cannot think of any other explanation. Is it possible?
On 02.07.21 15:56, Bastian Blank wrote:
No, !TLSv1 means no TLS 1.0. The reason is more simple: there exist virtually no TLSv1.1 implementations as 1.2 was published only two years later, but there still exist quite some TLSv1.0 implementations in legacy systems. So all still existing systems support either 1.0, 1.2 or 1.3 (usually including all the older versions as well.)
I would better say, that nearly all implementation that support tlsv1.1 support also tlsv1.2. However, there's no point in allowing tlsv1.0 but not tlsv1.1. server-server connections should support tlsv1.0 as well, client connections are often required to support at least tlsv1.2 smtpd_tls_mandatory_protocols is used on ports where TLS is mandatory, which usually means ports used by clients. smtpd_tls_protocols is used where TLS is not mandatory, which mostly means for server connections. this it's mostly safe to put smtpd_tls_protocols=!SSLv2,!SSLv3 smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1 or even smtpd_tls_protocols=!SSLv2,!SSLv3 smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSV1.1 -- Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm.
