Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?





On August 24, 2017 8:05:20 AM EDT, Bernhard Schmidt <berni@xxxxxxxxxx> wrote:
>Kurt Roeckx <kurt@xxxxxxxxx> wrote:
>
>> Disabling the protocols is the only way I know how to identify
>> all the problems. And I would like to encourage everybody to
>> contact the other side if things break and get them to upgrade.
>
>There is now #873065 on Postfix which suggests MTAs don't fall back to
>plain SMTP if the SSL handshake fails due to disabling of TLSv1.0 and
>TLSv1.1. I think this problem will be unsolvable before at least Google
>and Microsoft do the same on their inbound servers, forcing everyone to
>change configs.

The log in that bug shows something connecting to a Postfix smtpd, so someone else's inbound isn't relevant to that bug.

I need to find more information on it, but that is most likely a case of the sender not falling back to plain SMTP and so likely not a Postfix issue.

This does highlight problems with the current situation with openssl.  I can't think of a case where no encryption is a better result than use of TLS.

Scott K