Mailserver TLS version statistics? #1355
Comments
|
Interesting idea we also had, it would be better to have general statistics (like caniuse has for browsers), since only bench marking against the tested sites might be skewed. Statistics could be gathered by checking all MX records of the Tranco list. We proposed the Best Current Practice (BCP) 195 to the NCSC-NL TLS guideline revision, the BCP 195 includes:
Microsoft Online Exchange and Outook.com currently only support TLS v1.2. Based on RFC 8996 and the current deployment of TLS v1.2+ it feels save to drop TLS v1.0 and v1.1 on STARTTLS, but of course it's best to first check the percentage of TLS v1.0 and v1.1 traffic on the specific MX first. |
|
This would do a lot to inform the decision to disable TLSv1.0 and TLSv1.1. I and many others still would rather not disable them, as it can mean not receiving emails for job offers, rent updates, school transcripts, etc. Knowing adoption levels are above a very high threshold might convince more people. |
It would be very useful to see some aggregated statistics for TLS versions supported by tested mailservers. Statistics from the past 7-14-30 days or more. This would be beneficial especially for mailserver admins on which versions to support, and when to stop 1.0/1.1 support (in particular). Adding cipher suites to that would make it even better.
The text was updated successfully, but these errors were encountered: