> On Feb 5, 2016, at 4:40 PM, Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> wrote: > > I would be surprised by any legitimate SSL3 mail because the STARTTLS > spec came long after TLS 1.0 was settled. Surprise! http://www.engardelinux.org/modules/index/list_archives.cgi?list=postfix-users&page=0279.html&month=2013-09 But that was in 2013, and my response was: As I mentioned, at this time, deprecating SSLv3 is most likely counter-productive. I am hoping that in a couple of years it will be a practical default for the SMTP client only, where you can define exceptions for problem destinations via smtp_tls_policy_maps. A polite note to their postmaster linking to this thread may encourage them to start making plans to upgrade to inbound systems that can support TLSv1 and up (strictly speaking the STARTTLS EHLO response in SMTP promises support of TLS an IETF standard, not SSLv3). The timeline for SSLv3 deprecation turned a bit better than I expected, (for various reasons that were hard to predict in 2013), so at this point "no SSLv2/SSLv3" is a good choice for both SMTP clients and servers. -- Viktor.