Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Victor Duchovni (Victor.Duchovnimorganstanley.com)
Date: Fri Aug 21 2009 - 16:27:48 CDT
On Fri, Aug 21, 2009 at 10:54:49PM +0200, gmx wrote:
> Hi Victor,
> In http://marc.info/?l=postfix-users&m=116171112425304&w=2 you described
> problems with ciphers when connecting from MS-Exchange to postfix. Has there
> been any improvement in the last almost-3 years?
AFAIK, the problem is resolved in Vista at the latest SP levels. XP,
and perhaps Server 2003 are AFAIK still broken for ciphers other than RC4.
> In a similar vein, we are having problems to mandatorily send TLS encrypted
> mails from an MS-Exchange to a postfix.
> We always get a
> <<530 5.0.0 Permanent message delivery failure - 530 5.7.0 Must issue a
> STARTTLS command first (in reply to end of DATA command))>>
This is logged by the Postfix SMTP client, when sending mail out, not
the SMTP server. Perhaps you are inadvertantly enforcing TLS post
content filter, ...
> Postfix 2.4.6 settings are
> smtpd_tls_cipherlist = MEDIUM:HIGH:!MD5:!aNULL
This parameter is not used in 2.3 or later, and this setting is not wise
in any case.
This is fine.
> smtpd_enforce_tls = yes
This makes the former unnecessary.
> When we turn off the last 2, it all works fine, and the received header
> still claims that the message had
> > (using TLSv1 with cipher RC4-MD5 (128/128 bits))
> > (No client certificate requested)
> > (Authenticated sender: umbricht.chsig.privasphere.com)
> but AFAIK without the last 2, we cannot prevent sending-side omissions of
> TLS from the receiving side and we would really like to ensure that as
Sure looks like you are having trouble forwarding mail received from
Exchange, not receiving from Exchange.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.