For those using Exchange on-premises (including SBS 2011), here are some best practice recommendations from the Exchange Team.
http://blogs.technet.com/b/exchange/archive/2015/07/27/exchange-tls-amp-ssl-best-practices.aspx
In a nutshell,
- Deploy supported operating systems, clients, browsers, and exchange versions
- Test everything by disabling SSL 3.0 on Internet Explorer
- Disable support for SSL 3.0 on the client
- Disable support for SSL 3.0 on the server
- Prioritize TLS 1.2 ciphers, and AES/3DES above others
- Strongly consider disabling RC4 ciphers
- Do NOT use MD5/MD2 certificate hashing anywhere in the chain
- Use RSA-2048 when creating new certificate keys
- When renewing or creating new requests, request SHA 256-bit or better
- Know what your version of Exchange supports
- Use tools to test and verify
- Do NOT get confused by explicit TLS vs. implicit TLS
- (For now) Wait to disable TLS 1.0 on the Exchange server