Re: disabling tls?

Sat, 04 Jan 2014 20:25:25 -0800 

On Sat, Jan 04, 2014 at 08:16:42PM -0500, Wietse Venema wrote:

> Miles Fidelman:
> > A (hopefully) quick question: How does one disable TLS for a single 
> > destination?  (Yahoo has been exhibiting some funny problems with 
> > in-bound mail, and at least one person found that disabling TLS for 
> > yahoo servers was a work-around for them.)
> 
> Untested examples follow...
> 
> Approach 1: suppress STARTTLS by IP address
> ===========================================
> 
> Approach 2: suppress STARTTLS by domain name
> ============================================

Approach 3: Per destination TLS policy table
============================================
main.cf:
    indexed = ${default_database_type}:${config_directory}/
    smtp_tls_security_level = may
    smtp_tls_policy_maps = ${indexed}tls-policy

tls-policy:
    yahoo.com   none

# cd /etc/postfix; postmap tls-policy
============================================

All that said, it is perhaps more productive to detail the actual
problem, rather than implement a blunt work-around.

Even from a PBL-listed cable modem IP, I get working TLS from Yahoo:

posttls-finger: Connected to mta6.am0.yahoodns.net[98.138.112.34]:25
posttls-finger: < 220 mta1230.mail.ne1.yahoo.com ESMTP ready
posttls-finger: > EHLO amnesiac.example
posttls-finger: < 250-mta1230.mail.ne1.yahoo.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 41943040
posttls-finger: < 250-8BITMIME
posttls-finger: < 250 STARTTLS
posttls-finger: > STARTTLS
posttls-finger: < 220 Start TLS
posttls-finger: mta6.am0.yahoodns.net[98.138.112.34]:25: Matched 
subjectAltName: *.yahoodns.net
posttls-finger: mta6.am0.yahoodns.net[98.138.112.34]:25: subjectAltName: 
yahoodns.net
posttls-finger: mta6.am0.yahoodns.net[98.138.112.34]:25 CommonName 
*.yahoodns.net
posttls-finger: certificate verification failed for 
mta6.am0.yahoodns.net[98.138.112.34]:25: untrusted issuer /C=US/O=DigiCert 
Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
posttls-finger: mta6.am0.yahoodns.net[98.138.112.34]:25: 
subject_CN=*.yahoodns.net, issuer_CN=DigiCert High Assurance CA-3, 
fingerprint=B7:12:F7:B2:7B:0F:3F:02:D3:D1:B7:F5:04:E7:3C:AE:56:82:F3:98, 
pkey_fingerprint=F0:66:F9:11:D9:39:43:65:4C:1C:00:86:93:F5:F2:7F:79:E6:BB:90
posttls-finger: Untrusted TLS connection established to 
mta6.am0.yahoodns.net[98.138.112.34]:25: TLSv1 with cipher 
DHE-RSA-CAMELLIA256-SHA (256/256 bits)
posttls-finger: > EHLO amnesiac.example
posttls-finger: < 250-mta1230.mail.ne1.yahoo.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 41943040
posttls-finger: < 250 8BITMIME
posttls-finger: > QUIT
posttls-finger: < 221 Bye

Though, perhaps atypically, they negotiate: TLSv1 DHE-RSA-CAMELLIA256-SHA 
(256/256 bits),
which is not usually hardware-accelerated via AES-NI.

-- 
        Viktor.

Reply via email to