Re: [exim] GnuTLS vs OpenSSL

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] GnuTLS vs OpenSSL
On Sat, Sep 18, 2021 at 09:45:28PM +0100, Andrew C Aitchison via Exim-users wrote:

> > Besides this: About 85% of the incoming traffic is still unencrypted
> > (for my statistics, mainly because some high volume mailing list
> > servers do not use TLS), about 10% uses TLS1.3, 5% still uses TLS1.2
> > (I log TLS ciphers via +tls_cipher in Exim).
>
> It looks as though you do not allow TLSv1.1 - I suspect that a
> substantial faction of that 85% would use it if you allowed it.
> For email it is probably better to allow TLSv1.1 than reject it
> and end up receiving the message in plain.


Make that TLS 1.0, almost nobody uses TLS 1.1, the sites that don't
support at least TLS 1.2 almost invariably only support TLS 1.0.

There's little to nothing particularly wrong with TLS 1.0 for SMTP, and
certainly nothing that's fixed in TLS 1.1, so if the floor isn't TLS 1.2
it should be 1.0 (I still recommend leaving it enabled for now).

-- 
    Viktor.