On Sun, 19 May 2019, The Doctor via Exim-users wrote:
> How can I force e-mail from the Internet At large to be only accepted
> if and only if done by SSL/TLS methods?
Jeremy suggested
ACL condition "encrypted"
Can I ask a supplementary question ?
TLS v1.0 and v1.1 are on the way out for https*;
how did you decide which versions to allow for mail ?
If you use the same certificate for smtp and pop, imap and/or https webmail
then using an old protocol leaves you open to cross-protocol downgrade
attacks (like DROWN but tls instead of ssl).
On the other hand, I see more effort put into updating encryption for web
than for mail.
* eg
https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/
Thanks,
