different TLS protocols on different ports

Noel noeldude at gmail.com
Thu Nov 15 00:49:13 EET 2018

On 11/14/2018 4:08 PM, Michael A. Peters wrote:
> Honestly that violates the concept of KISS.
> Given that TLS 1.2 is now a decade old, do you really need to
> still allow clients not capable of TLS 1.0/1.1 ???
> I still do but only allow cipher suites with Forward Secrecy.
> I don't run huge mail server, but from quick look at my logs I
> don't even see any clients connecting that aren't TLS 1.2 anymore.
> Might be easier to just give a six month notice that clients
> running TLS more than a decade old will no longer be supported.


Strongly agree with this.  If you have enough users that you have
use both hands to count them, running different protocols on
different ports is a sure-fire way to annoy your users and create
problems for support staff (eg. you).  Either allow the antique
protocol everywhere, or give notice and cut it off. 

  -- Noel Jones

More information about the dovecot mailing list