On Tue, 24 Apr 2012 11:34:11 -0400 (EDT) Wietse Venema articulated: >Jerry: >> FreeBSD-8.2 STABLE >> Postfix (2.10-20120422) >> OpenSSL 1.0.1a 19 Apr 2012 >> >> I just updated to the latest devel version of Postfix and >> openssl-1.0.1a. >> >> Following the instructions (I think correctly) on this list, I >> created the following file: >> >> cat tls_policy >> hotmail.com may protocols=!SSLv2:!TLSv1.1:!TLS1.2 >> >> I check it as so: >> >> postmap -q hotmail.com ./tls_policy >> may protocols=!SSLv2:!TLSv1.1:!TLS1.2 > >TLS1.2 is an invalid protocol name. Postfix will not send STARTTLS, >disconnect, and make a plaintext connection if permitted. > > Apr 24 11:11:27 spike postfix/smtp[19134]: warning: > 65.55.96.11[65.55.96.11]:25: Invalid TLS protocol list > "!SSLv2:!TLSv1.1:!TLS1.2": aborting TLS session > >So your logs don't match the configuration.
I got those setting from your email to the list: <quote> However, it may be better to disable the new protocols for broken sites only, with smtp_tls_policy_maps entries. /etc/postfix/main.cf: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy /etc/postfix/tls_policy: example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2 </quote> I did screw it up, I left out the "v"in the "TLSv1.2" protocol name. However, even changing that did not make any difference. >I have verified that Postfix + OpenSSL 1.0.1a fails to communicate >with 65.55.96.11 with "default" settings, but succeeds when I disable >TLSv1.2 (with smtp_tls_policy_maps or with smtp_tls_protocols). > >If you can't make it work with the policy table, simply specify in >main.cf: > > smtp_tls_protocols = !SSLv2,!TLSv1.2 > smtp_tls_mandatory_protocols = !SSLv2,!TLSv1.2 This works fine for me. I fail to understand why the policy map fails however. >I don't see STARTTLS support on the MX hosts for hotmail.com, so I >wonder why you ended up talking to 65.55.96.11. No idea. Thanks for your help. -- Jerry ✌ postfix-u...@seibercom.net _____________________________________________________________________ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html