Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?




Scott Kitterman <debian@xxxxxxxxxxxxx> wrote:
>
>
> On August 24, 2017 8:05:20 AM EDT, Bernhard Schmidt <berni@xxxxxxxxxx> wrote:
>>Kurt Roeckx <kurt@xxxxxxxxx> wrote:
>>
>>> Disabling the protocols is the only way I know how to identify
>>> all the problems. And I would like to encourage everybody to
>>> contact the other side if things break and get them to upgrade.
>>
>>There is now #873065 on Postfix which suggests MTAs don't fall back to
>>plain SMTP if the SSL handshake fails due to disabling of TLSv1.0 and
>>TLSv1.1. I think this problem will be unsolvable before at least Google
>>and Microsoft do the same on their inbound servers, forcing everyone to
>>change configs.
> The log in that bug shows something connecting to a Postfix smtpd, so
> someone else's inbound isn't relevant to that bug.

Yes and no. The point was, even if all Debian based MTAs disabled
TLSv1.0/TLSv1.1 leading to delivery issues a very large portion of
senders won't fix their servers. They simply won't give a damn. Unless
Google and Microsoft do the same, in which case they suddenly cannot
reach >50% of their targets anymore and are forced ot fix their side.

The suggested procedure for Buster (disable TLSv1.0/TLSv1.1, then
contact everyone who breaks due to this) is not viable for email. This
will prevent public servers from testing Buster for the whole time.

> I need to find more information on it, but that is most likely a case
> of the sender not falling back to plain SMTP and so likely not a
> Postfix issue.

Indeed.

Bernhard