On 11/14/2018 4:08 PM, Michael A. Peters wrote:
Honestly that violates the concept of KISS.
Given that TLS 1.2 is now a decade old, do you really need to still allow clients not capable of TLS 1.0/1.1 ???
I still do but only allow cipher suites with Forward Secrecy.
I don't run huge mail server, but from quick look at my logs I don't even see any clients connecting that aren't TLS 1.2 anymore.
Might be easier to just give a six month notice that clients running TLS more than a decade old will no longer be supported.
+1
Strongly agree with this. If you have enough users that you have use both hands to count them, running different protocols on different ports is a sure-fire way to annoy your users and create problems for support staff (eg. you). Either allow the antique protocol everywhere, or give notice and cut it off.
-- Noel Jones