different TLS protocols on different ports

Noel noeldude at gmail.com
Thu Nov 15 00:49:13 EET 2018


On 11/14/2018 4:08 PM, Michael A. Peters wrote:
> Honestly that violates the concept of KISS.
>
> Given that TLS 1.2 is now a decade old, do you really need to
> still allow clients not capable of TLS 1.0/1.1 ???
>
> I still do but only allow cipher suites with Forward Secrecy.
>
> I don't run huge mail server, but from quick look at my logs I
> don't even see any clients connecting that aren't TLS 1.2 anymore.
>
> Might be easier to just give a six month notice that clients
> running TLS more than a decade old will no longer be supported.

+1

Strongly agree with this.  If you have enough users that you have
use both hands to count them, running different protocols on
different ports is a sure-fire way to annoy your users and create
problems for support staff (eg. you).  Either allow the antique
protocol everywhere, or give notice and cut it off. 

  -- Noel Jones



More information about the dovecot mailing list