Re: openssl/libssl1 in Debian now blocks offlineimap?
- Date: Thu, 24 Aug 2017 14:07:31 -0700
- From: Clint Byrum <spamaps@xxxxxxxxxx>
- Subject: Re: openssl/libssl1 in Debian now blocks offlineimap?
Excerpts from Adam Borowski's message of 2017-08-24 22:10:40 +0200:
> On Thu, Aug 24, 2017 at 01:45:02PM +0000, Bernhard Schmidt wrote:
> > The point was, even if all Debian based MTAs disabled
> > TLSv1.0/TLSv1.1 leading to delivery issues a very large portion of
> > senders won't fix their servers. They simply won't give a damn. Unless
> > Google and Microsoft do the same, in which case they suddenly cannot
> > reach >50% of their targets anymore and are forced ot fix their side.
> > The suggested procedure for Buster (disable TLSv1.0/TLSv1.1, then
> > contact everyone who breaks due to this) is not viable for email. This
> > will prevent public servers from testing Buster for the whole time.
> Fortunately, our default MTA uses gnutls, but it's not nice to screw postfix
> In the real world, refusing mails from even one customer or business
> partner, no matter how pants-on-the-head-retarded their mail setup is, is
> simply not an option.
> Their answer will be "your server is broken as my mail works elsewhere, it's
> your fault", no matter how much you preach TLS safety.
There may be an opportunity for a project to spin up which logs known
servers found to be using sub-standard TLS versions. Nothing like finding
out there's a hacker website which lists you as a prime target to motivate
budget allocations for fixes.