SMTP, TLS V1.0, PCI compliance and the future

Question

Some days ago another PCI compliance scan happened and as always I had to manually disable TLS V1.0 in exim.conf. Before anyone moans about warranty: This is the only way to disable TLS V1.0 for SMTP and it is recommended by Sophos support. Last September I had a lenghty support case, they found a way to disable TLS V1.0 on the RED ports, but the SMTP/TLS problem still remains. And after every update I have to remember to revisit exim.conf, because that entry is overwritten every time when an update is applied. Actually there is no way to disable TLS generally and persistent via web gui. If TLS V1.0 is not disabled, the security scan will fail. 
 PCI compliance means that TLS V1.0 has to be completely disabled. Until 30.06.17 they allow a transition period. If I cannot disable TLS V1.0 at the moment, they want me to send them a "Risk Mitigation and Migration Plan". That's a short one: Editing exim.conf, restart SMTP service and I am done. But this is for sure not a very professional way, that's patchwork. 
 Disabling TLS V1.0 means to check smtp.log every day for SSL23_GET_CLIENT_HELLO entries, every entry containing that is a failed SMTP connect because the sending mail server is not able to use TLSV1.2 . It is unbelievable how many mail servers are not able to use a modern and recommended encryption, even the mail servers of world-wide acting companies like AOL, Paypal, Amazon, Facebook and others cannot. 
 This inability results in hundreds of exceptions in the "Skip TLS Negotiation Hosts/Nets" field, otherwise we won't receive mail from these unable mail servers. On the other side we have to offer TLS encryption for mail transfer for a lot of customers for the sake of security, so I cannot disable TLS at all with a * in the "Skip TLS Negotiation Hosts/Nets" field. So the cat is biting her tail. 
 
 Well... I am frustrated. This problem eats up a lot of time and actually I cannot see any light at the end of the tunnel. Sophos support didn't answer to my question how they think about the future handling of TLS V1.0. 
 How do you guys handle that, any thoughts?

BAlfson · Answer

I just tell my clients to explain that the compliance tool was talking to the SMTP Proxy, not a web server, and that they willsee that that's the case if they read the report closely. The service notes that and everyone is on their way. 
 Compliance scans are totally automated and there's no one that reads the results in depth before you're presented the report. The only human intervention before you get the report is a quick scan of the summary by someone that then writes you a note that says it looks like you have some work to do. 
 As you say, TLS1.0 must be completely eliminated by 2017 June 30. Until then, I can't imagine why its acceptance by the SMTP Proxy is of any concern to the Payment Card Industry. 
 Cheers - Bob