Originally posted by dito on the forum:
I think it is too soon to disable TLS 1.1 on mail on shared hosting servers. However we are using
ssl_email_configuration=intermediate because we want to have TLS 1.1 disabled on Apache/websites.
I think it would be much better if you could add a separate options.conf settings for mail, for example:
That way, we could have TLS 1.1 disabled for websites with ssl_configuration=intermediate and enabled for mail with ssl_mail_configuration=old - until we think enough time has passed to safely disable TLS 1.1 on mail also.
I did read above that we can use custom configs for exim and dovecot, but I would be much more happy with a options.conf setting for mail.
More details on forum:
I added the following to dovecot.conf to track users.
login_log_format_elements = "user= method=%m rip=%r lip=%l mpid=%e %c %k"
I then can run the following to go a list of users not using TLSv1.2. It's messy but it works.
grep TLS /var/log/maillog|grep -v TLSv1.2|grep Login|cut -d ' ' -f 9 | sed 's/user=,//'| sort | uniq -c | sort -nr
At first at the forum I put a like on this because I could understand the ease of use for others.
As for us we don't have issues with it yet, except a couple of older php scripts which try to send via smtp 1.0 or 1.1.
After reading the reply of smtalk, I agree with him options.conf should not become a collection of EOL things.
However in the future it might be better to wait until the real EOL daqte of things before really removing them.
I think it'd only add confusion, as switching to 'modern' for example, would require changing 2 settings instead of 1, and long-term that other setting wouldn't be used at all.
Personally I wouldn't like options.conf to became a collection of EOL/not used settings :) (we already have some, like suhosin, which is EOL, and some others)
Please note that if OS does not support TLS 1.1 at all - it might not support it for browsing and FTP too, so, it'd make sense to enable TLS 1.1 for them globally. For example, IE
@smtalk, hmm. Now that I am reading your reply, I come to think of that we also has servers with CentOS 8, and I did not think of it before, but they might already not support TLS 1.1 in exim and dovecot? If so, it would not matter much for us, and I would withdraw my vote for this feature.
The reason that i posted it because i don't want to have several custom configs. I would really like a seperate option for email to keep older mail clients working, just dumping TLS 1.1 causes mayor issues.
But doesn't FTP/HTTP cause the same? For example, I have Windows7 with old Filezilla, and I cannot connect to FTP using TLSv1.1. Then we might need ssl_ftp_configuration=old/intermediate.modern :)
Quote: "But doesn't FTP/HTTP cause the same? For example, I have Windows7 with old Filezilla, and I cannot connect to FTP using TLSv1.1."
The big difference is that you can easily update your old FileZilla on Windows 7, but you can't upgrade Outlook on Windows 7 (newest version on Windows 7 does not support TLS 1.1).
We are going to upgrad exim.conf and dovecot on our shared hosting servers today. We are going to use the default intermediate setting. Let's just hope not to many customers is affected.
We got a lot of client's affected. That's why we switched back to old. I am not one for having to much custom configs. But we might need to be forced because webserver side i want to keep somewhat intermediate.