Viktor Dukhovni wrote: > On Tue, Feb 02, 2016 at 09:00:02PM -0500, Derek Atkins wrote: > > > Have you disabled non-TLS SMTP transport, too? > > That would clearly be premature. > > > If not, isn't there a chance that disabling SSLv3 will cause *SOME* > > email to fallback to non-encrypted? > > A very small chance, but given the rapidly diminishing and already > negligible fraction of systems that are only capable of SSLv3, this > is an acceptable cost of reducing the attack surface and opportunities > for downgrade and other attacks against the vast majority of > remaining systems. I'm sorry, but this information is strange. There exists *NO* downgrade vulnerability in TLS. There is a well-known-stupid unprotected "downgrade dance" implemented in a few web browsers, but that is something entirely different, and not a property of TLS or SSLv3. Btw. even SSLv3 still provides *ALL* the security properties officially documented for TLSv1.2 in rfc5246 Appendix F. What SSLv3 does not provide, however, is additional protection against obvious abuses of the TLS protocol beyond its original security goals, such as by ^SSL VPNs and Web Browsers. For authentication-less SMTP and programmatic clients, the original scope of TLS is sufficient, and therefore SSLv3 a perfectly sensible option. Disabling SSLv3 can not possibly provide any security benefit here, but may cause interop problems and less security for a few old peers. -Martin