Re: openssl/libssl1 in Debian now blocks offlineimap?
On August 24, 2017 8:05:20 AM EDT, Bernhard Schmidt <firstname.lastname@example.org> wrote:
>Kurt Roeckx <email@example.com> wrote:
>> Disabling the protocols is the only way I know how to identify
>> all the problems. And I would like to encourage everybody to
>> contact the other side if things break and get them to upgrade.
>There is now #873065 on Postfix which suggests MTAs don't fall back to
>plain SMTP if the SSL handshake fails due to disabling of TLSv1.0 and
>TLSv1.1. I think this problem will be unsolvable before at least Google
>and Microsoft do the same on their inbound servers, forcing everyone to
The log in that bug shows something connecting to a Postfix smtpd, so someone else's inbound isn't relevant to that bug.
I need to find more information on it, but that is most likely a case of the sender not falling back to plain SMTP and so likely not a Postfix issue.
This does highlight problems with the current situation with openssl. I can't think of a case where no encryption is a better result than use of TLS.