Excerpts from Adam Borowski's message of 2017-08-24 22:10:40 +0200: > On Thu, Aug 24, 2017 at 01:45:02PM +0000, Bernhard Schmidt wrote: > > The point was, even if all Debian based MTAs disabled > > TLSv1.0/TLSv1.1 leading to delivery issues a very large portion of > > senders won't fix their servers. They simply won't give a damn. Unless > > Google and Microsoft do the same, in which case they suddenly cannot > > reach >50% of their targets anymore and are forced ot fix their side. > > > > The suggested procedure for Buster (disable TLSv1.0/TLSv1.1, then > > contact everyone who breaks due to this) is not viable for email. This > > will prevent public servers from testing Buster for the whole time. > > Fortunately, our default MTA uses gnutls, but it's not nice to screw postfix > users. > > In the real world, refusing mails from even one customer or business > partner, no matter how pants-on-the-head-retarded their mail setup is, is > simply not an option. > > Their answer will be "your server is broken as my mail works elsewhere, it's > your fault", no matter how much you preach TLS safety. >
There may be an opportunity for a project to spin up which logs known servers found to be using sub-standard TLS versions. Nothing like finding out there's a hacker website which lists you as a prime target to motivate budget allocations for fixes.
