ddavness
commented
2 years ago I am a bit reluctant in dropping <TLSv1.2 (at least by default) just yet. Unlike web browsers that get new versions relatively quickly and where old versions not supporting new protocols are dropped almost as soon as they are considered obsolete, some mail servers might still be running legacy software that doesn't support TLSv1.2. MIAB (and by consequence this fork, too) even supports mail to be sent or received in the clear if the other side doesn't support encryption.
According to Google, a chunk of the mail is still delivered in plaintext: https://transparencyreport.google.com/safer-email?hl=en
This said, there are some parameters that can for sure be improved without compromising compatibility too much. I'll be looking into that in the following days :)
psychofaktory
As test tools show, this area should be adjusted somewhat: https://www.hardenize.com/report/duqued.net/1644785601#email_tls https://tls.imirhil.fr/smtp/duqued.net https://www.immuniweb.com/ssl/central.duqued.net/KK1XjNVd/
TLSv1.0 and TLSv1.1 should be disabled, the used Cipher-Suites and ECDH curves and their order should be reviewed, so that the server meets the current security standards. I have found a recommendation for this here: https://ciphersuite.info/cs/?tls=tls12&security=recommended&software=openssl&sort=desc&singlepage=true
I found a description for the required adjustments here: https://the-digital-native.de/?p=26
The tests also indicate that the nginx configuration of the web server could still be improved: https://securityheaders.com/?q=central.duqued.net&hide=on&followRedirects=on