On Thu, Apr 12, 2012 at 09:04:01AM -0500, Noel Jones wrote: > My main.cf has a note-to-self about this same cipher being broken on > some old Windows versions in the distant past. Maybe an old bug has > resurfaced. > > Possible workaround: > smtpd_tls_exclude_ciphers = DES-CBC3-SHA > smtp_tls_exclude_ciphers = DES-CBC3-SHA
Some older Unix systems that don't support AES may only offer 3DES, which is required by RFCs. So as a global setting, this is risky. Generally, Windows systems that don't do AES, only support RC4-MD5 (~Windows XP and 2003) while newer windows system support AES (Vista, Windows 7 and Server 2008). So it is the Windows system's to no offer anything other than RC4 if that's all it can do. I would perhaps disable TLS to the destination if it is still broken, but otherwise it is their problem to fix. -- Viktor.