I have been using Exchange 2007 with postfix mail gateway for almost 3 years now; both outbound and inbound are encrypted and have had minimal issues (due to my own stupidity) with communications. I posted a few years ago when I was running Exchange 2003 which did not do encryption properly and you had to make mods to postfix to make it work right. The following works for me (note I use same root CA for both postfix and Exchange 2007):
smtpd_use_tls = yes smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_auth_only = no smtp_tls_security_level = may smtpd_tls_key_file = /etc/postfix/ssl/server.key smtpd_tls_cert_file = /etc/postfix/ssl/server_selfsign.crt smtpd_tls_CAfile = /etc/postfix/ssl/server_selfsign.crt smtp_tls_CAfile = /etc/postfix/exchange.pem smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtpd_tls_mandatory_ciphers = high smtpd_tls_loglevel = 14 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Victor Duchovni Sent: Friday, August 21, 2009 2:28 PM To: postfix-users@postfix.org Subject: Re: MS-Exchange fails when receiving postfix has smtpd_enforce_tls=true On Fri, Aug 21, 2009 at 10:54:49PM +0200, gmx wrote: > Hi Victor, > > In http://marc.info/?l=postfix-users&m=116171112425304&w=2 you described > problems with ciphers when connecting from MS-Exchange to postfix. Has there > been any improvement in the last almost-3 years? AFAIK, the problem is resolved in Vista at the latest SP levels. XP, and perhaps Server 2003 are AFAIK still broken for ciphers other than RC4. > In a similar vein, we are having problems to mandatorily send TLS encrypted > mails from an MS-Exchange to a postfix. > > We always get a > > <<530 5.0.0 Permanent message delivery failure - 530 5.7.0 Must issue a > STARTTLS command first (in reply to end of DATA command))>> This is logged by the Postfix SMTP client, when sending mail out, not the SMTP server. Perhaps you are inadvertantly enforcing TLS post content filter, ... > Postfix 2.4.6 settings are > smtpd_tls_cipherlist = MEDIUM:HIGH:!MD5:!aNULL This parameter is not used in 2.3 or later, and this setting is not wise in any case. > smtpd_tls_mandatory_ciphers=medium > smtpd_tls_exclude_ciphers=aNULL This is fine. > smtpd_enforce_tls = yes Ignored. > smtpd_tls_security_level=encrypt This makes the former unnecessary. > When we turn off the last 2, it all works fine, and the received header > still claims that the message had > > > (using TLSv1 with cipher RC4-MD5 (128/128 bits)) > > (No client certificate requested) > > (Authenticated sender: umbricht...@sig.privasphere.com) > > but AFAIK without the last 2, we cannot prevent sending-side omissions of > TLS from the receiving side and we would really like to ensure that as > receivers. Sure looks like you are having trouble forwarding mail received from Exchange, not receiving from Exchange. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly. -- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com
