On Mon, Aug 11, 2014 at 04:01:56PM -0400, Alex wrote:
> I have a fedora20 system with postfix-2.10.3 and have TLS set up and
> working correctly, at least to the best of my ability. We have a user that
> would like to send email to a system that apparently doesn't support TLS,
> but does support SSL. I'd imagine they are referring to SSLv3.
No. The user is referring to submission via port 465 "smtps",
which unlike port 587 STARTTLS, is SMTP wrapped in SSL immediately
after the TCP 3-way handshake, rather than negotiated after EHLO.
Postfix by default interoperates with SMTP servers that support
only SSLv3.
> I'm not specifically excluding any ciphers in my configuration - wouldn't
> SSL automatically be supported if it available on the remote system?
Yes, though if you make SSL/TLS mandatory (via smtp_tls_policy_maps
and the "encrypt" or "secure" levels) then some weaker ciphers are
excluded by default.
> In
> other words, I believe I've set up my system to first try TLS, then SSL,
> then plaintext.
No, you have a system that tries STARTTLS, then plaintext. During
the SSL/TLS handshake the Postfix SMTP client will advertise support
for a range of SSL protocol versions from SSLv3 up-to TLSv1.2 if
your SSL library supports that.
> smtp_tls_CAfile = /var/www/mail.example.com-443/ssl/gd_bundle.crt
I would leave this empty, you're not checking certificates, so
loading a CAfile is a waste of CPU cycles.
> smtp_tls_exclude_ciphers = 3DES
Only needed for some Microsoft Exchange 2003 servers, but OK to
enable globally unless you're talking to some servers that only
support 3DES.
> smtp_tls_note_starttls_offer = yes
Not needed.
> smtp_use_tls = yes
Set "smtp_tls_security_level = may" instead.
> smtpd_tls_loglevel = 2
Too verbose, use "1" instead of "2".
Finally, you've posted no logs, leaving everyone on this list blind
to the actual problem. If you want help post logs that detail the
problem you're having.
--
Viktor.
