NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2009-08

Re: MS-Exchange fails when receiving postfix has smtpd_enforce_tls=true

From: Victor Duchovni (Victor.Duchovnimorganstanley.com)
Date: Fri Aug 21 2009 - 16:27:48 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 21, 2009 at 10:54:49PM +0200, gmx wrote:

> Hi Victor,
>
> In http://marc.info/?l=postfix-users&m=116171112425304&w=2 you described
> problems with ciphers when connecting from MS-Exchange to postfix. Has there
> been any improvement in the last almost-3 years?

AFAIK, the problem is resolved in Vista at the latest SP levels. XP,
and perhaps Server 2003 are AFAIK still broken for ciphers other than RC4.

> In a similar vein, we are having problems to mandatorily send TLS encrypted
> mails from an MS-Exchange to a postfix.
>
> We always get a
>
> <<530 5.0.0 Permanent message delivery failure - 530 5.7.0 Must issue a
> STARTTLS command first (in reply to end of DATA command))>>

This is logged by the Postfix SMTP client, when sending mail out, not
the SMTP server. Perhaps you are inadvertantly enforcing TLS post
content filter, ...

> Postfix 2.4.6 settings are
> smtpd_tls_cipherlist = MEDIUM:HIGH:!MD5:!aNULL

This parameter is not used in 2.3 or later, and this setting is not wise
in any case.

> smtpd_tls_mandatory_ciphers=medium
> smtpd_tls_exclude_ciphers=aNULL

This is fine.

> smtpd_enforce_tls = yes

Ignored.

> smtpd_tls_security_level=encrypt

This makes the former unnecessary.

> When we turn off the last 2, it all works fine, and the received header
> still claims that the message had
>
> > (using TLSv1 with cipher RC4-MD5 (128/128 bits))
> > (No client certificate requested)
> > (Authenticated sender: umbricht.chsig.privasphere.com)
>
> but AFAIK without the last 2, we cannot prevent sending-side omissions of
> TLS from the receiving side and we would really like to ensure that as
> receivers.

Sure looks like you are having trouble forwarding mail received from
Exchange, not receiving from Exchange.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]