I just want to share some facts with you - and hopefully you will also add some of your experience.
SSL_ENABLE_INSECURE_SSLV2_HELLO=1
Some customers experienced communication issues with older SMTP clients and also applications that were using ancient OpenSSL version after upgrading there Domino to FP2IF1. This notes.ini parameter were introduced in FP3 IF1 to re-enable the V2 HELO for compatibility reasons.
If you want some more details on this you should visit Daniel Nashed's blog .
RouterFallbackNonTLS=1
Imagine you only enabled the DH-ciphers on your Domino server, enabled STARTTLS and send a mail to a server that is also using TLS but it is only supporting non-DH TLS1.2 ciphers.
What would happen ? Right...the communication will fail and the sender will get a NDR . The console should show some "SSL I/O" error messages:
HTTP Server: SSL handshake failure, IP address [x.x.x.x], Keyring[keyfile.kyr],[SSL Error: Network IO error], code [4165]
With this .ini-parameter enabled the Domino server won't send a NDR to the sender but instead will fallback to non-TLS communication.
On the one hand this will improve user experience but on the other hand this will also enable MITM attacks & you can't be sure that every communication between you and your partners is encrypted which is why I advise you to not enable this parameter if you want your communication to be secured.
DISABLE_SSLV3=1 & SSL_DISABLE_TLS_10=1
Since SSLV3 and TLS10 were cracked years ago I would definitly advise you to deactivate these protocol versions if you communicate with servers outside of your local network.
