Re: MS-Exchange fails when receiving postfix has smtpd_enforce_tls=true

Fri, 21 Aug 2009 14:28:31 -0700 

On Fri, Aug 21, 2009 at 10:54:49PM +0200, gmx wrote:

> Hi Victor,
> 
> In http://marc.info/?l=postfix-users&m=116171112425304&w=2 you described
> problems with ciphers when connecting from MS-Exchange to postfix. Has there
> been any improvement in the last almost-3 years?

AFAIK, the problem is resolved in Vista at the latest SP levels.  XP,
and perhaps Server 2003 are AFAIK still broken for ciphers other than RC4.

> In a similar vein, we are having problems to mandatorily send TLS encrypted
> mails from an MS-Exchange to a postfix.
> 
> We always get a 
> 
> <<530 5.0.0 Permanent message delivery failure - 530 5.7.0 Must issue a
> STARTTLS command first (in reply to end of DATA command))>>

This is logged by the Postfix SMTP client, when sending mail out, not
the SMTP server. Perhaps you are inadvertantly enforcing TLS post
content filter, ...

> Postfix 2.4.6 settings are
> smtpd_tls_cipherlist = MEDIUM:HIGH:!MD5:!aNULL

This parameter is not used in 2.3 or later, and this setting is not wise
in any case.

> smtpd_tls_mandatory_ciphers=medium
> smtpd_tls_exclude_ciphers=aNULL

This is fine.

> smtpd_enforce_tls = yes

Ignored.

> smtpd_tls_security_level=encrypt

This makes the former unnecessary.

> When we turn off the last 2, it all works fine, and the received header
> still claims that the message had 
> 
> >          (using TLSv1 with cipher RC4-MD5 (128/128 bits))
> >          (No client certificate requested)
> >          (Authenticated sender: umbricht...@sig.privasphere.com)
> 
> but AFAIK without the last 2, we cannot prevent sending-side omissions of
> TLS from the receiving side and we would really like to ensure that as
> receivers.

Sure looks like you are having trouble forwarding mail received from
Exchange, not receiving from Exchange.

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Reply via email to