bwbroersma
commented
6 months ago Interesting idea we also had, it would be better to have general statistics (like caniuse has for browsers), since only bench marking against the tested sites might be skewed. Statistics could be gathered by checking all MX records of the Tranco list.
We proposed the Best Current Practice (BCP) 195 to the NCSC-NL TLS guideline revision, the BCP 195 includes:
- RFC 8996 - Deprecating TLS 1.0 and TLS 1.1
- RFC 9325 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
Microsoft Online Exchange and Outook.com currently only support TLS v1.2. Based on RFC 8996 and the current deployment of TLS v1.2+ it feels save to drop TLS v1.0 and v1.1 on STARTTLS, but of course it's best to first check the percentage of TLS v1.0 and v1.1 traffic on the specific MX first.
Seirdy
It would be very useful to see some aggregated statistics for TLS versions supported by tested mailservers. Statistics from the past 7-14-30 days or more. This would be beneficial especially for mailserver admins on which versions to support, and when to stop 1.0/1.1 support (in particular). Adding cipher suites to that would make it even better.