> Any thoughts on next steps without having to contact the target > domains? I have read about disabling TLSEXT_TYPE_PADDING when > compiling OpenSSL - would this be my next step, or was this somehow > fixed in the releases we are using? Any other way I could simulate > this problem, as we have had to regress the versions until this > is resolved?
http://postfix.1071664.n5.nabble.com/OpenSSL-1-0-1g-and-Ironport-SMTP-appliances-interop-issue-td66873.html "The only way to work-around this with Postfix linked to OpenSSL 1.0.1g and continue to encrypt traffic to the destinations in question is to force the use of SSLv3 only. This requires a compatible Postfix version: * >= 2.6.15 if 2.6.x * >= 2.7.9 if 2.7.x * >= 2.8.10 if 2.8.x * >= 2.9.2 if 2.9.x * 2.10.0 and up tls_policy: example.com may protocols=SSLv3 example.org encrypt protocols=SSLv3 example.org fingerprint protocols=SSLv3 match=... example.org secure protocols=SSLv3 " Wietse