On 6 Sep 2019, at 01:57, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > On 06.09.19 00:57, @lbutlr wrote: >> TLSv1.0 is EOLed and should not be used nor supported. > > well, if your clients (some old server installations) only support tls1.0, > it's better to allow it than forgint it to go plaintext or reject the mail at > all.
I don’t agree. It is thinking like this that leads to people still wanting to use RC4-SHA or HTTP AUTH. > http://postfix.1071664.n5.nabble.com/Update-to-recommended-TLS-settings-td78583.html That is four years ago and largely covers maintaining support for the 16 year-old Exchange 2003. The difference right now is that TLSv1.0 is end-of-life and has known flaws. It should no more be used than MD5 or RC2. However, I think here we were talking about TLS connections from sending servers; there TLSv1.0 is already basically unused. You are more likely to not get an opportunistic encryption at all that TLSv1. On 6 Sep 2019, at 00:51, Reio Remma <r...@mrstuudio.ee> wrote: > I recently did an experiment where I stopped accepting incoming e-mail > without TLS. This seemingly cut off about 95-99% of spam. Unfortunately there > still seem to be a small percentage of servers sending without TLS, so that > was a no go. I took that to mean the OP was not talking about submission from clients, but incoming mail from other servers. -- The trouble with being a god is that you've got no one to pray to.