On Mon, Aug 11, 2014 at 04:01:56PM -0400, Alex wrote: > I have a fedora20 system with postfix-2.10.3 and have TLS set up and > working correctly, at least to the best of my ability. We have a user that > would like to send email to a system that apparently doesn't support TLS, > but does support SSL. I'd imagine they are referring to SSLv3.
No. The user is referring to submission via port 465 "smtps", which unlike port 587 STARTTLS, is SMTP wrapped in SSL immediately after the TCP 3-way handshake, rather than negotiated after EHLO. Postfix by default interoperates with SMTP servers that support only SSLv3. > I'm not specifically excluding any ciphers in my configuration - wouldn't > SSL automatically be supported if it available on the remote system? Yes, though if you make SSL/TLS mandatory (via smtp_tls_policy_maps and the "encrypt" or "secure" levels) then some weaker ciphers are excluded by default. > In > other words, I believe I've set up my system to first try TLS, then SSL, > then plaintext. No, you have a system that tries STARTTLS, then plaintext. During the SSL/TLS handshake the Postfix SMTP client will advertise support for a range of SSL protocol versions from SSLv3 up-to TLSv1.2 if your SSL library supports that. > smtp_tls_CAfile = /var/www/mail.example.com-443/ssl/gd_bundle.crt I would leave this empty, you're not checking certificates, so loading a CAfile is a waste of CPU cycles. > smtp_tls_exclude_ciphers = 3DES Only needed for some Microsoft Exchange 2003 servers, but OK to enable globally unless you're talking to some servers that only support 3DES. > smtp_tls_note_starttls_offer = yes Not needed. > smtp_use_tls = yes Set "smtp_tls_security_level = may" instead. > smtpd_tls_loglevel = 2 Too verbose, use "1" instead of "2". Finally, you've posted no logs, leaving everyone on this list blind to the actual problem. If you want help post logs that detail the problem you're having. -- Viktor.