On Fri, Oct 17, 2014 at 02:44:16AM -0400, Chris Siebenmann wrote:
> (This is not to say that you should leave SSLv3 on. I'd turn it off
> for various reasons, including that it's ancient.)
My advice is to leave it on. I understand that turning it off
feels good, and may even appease some auditors, but the net effect
of turning it off for SMTP is very slightly negative. A tiny, but
perhaps sensitive, fraction of systems (some older anti-spam/anti-virus
appliances) will now only be able to send you email in the clear.
If you want to gain some security, consider disabling RC4 on port
587, where TLS should be mandatory, and if any of the submission
clients are "bots" or other MTAs that use PLAIN auth, RC4 might
leak their credentials after some millions of messages.
All this said, most sites that choose to disable SSLv3, will likely
not notice any difference either way. The fraction of SMTP traffic
that is SSLv3 is tiny for most domains.
--
Viktor.
