On Thu, Apr 12, 2012 at 09:04:01AM -0500, Noel Jones wrote:
> My main.cf has a note-to-self about this same cipher being broken on
> some old Windows versions in the distant past. Maybe an old bug has
> resurfaced.
>
> Possible workaround:
> smtpd_tls_exclude_ciphers = DES-CBC3-SHA
> smtp_tls_exclude_ciphers = DES-CBC3-SHA
Some older Unix systems that don't support AES may only offer 3DES,
which is required by RFCs.
So as a global setting, this is risky. Generally, Windows systems
that don't do AES, only support RC4-MD5 (~Windows XP and 2003)
while newer windows system support AES (Vista, Windows 7 and Server
2008).
So it is the Windows system's to no offer anything other than RC4
if that's all it can do. I would perhaps disable TLS to the destination
if it is still broken, but otherwise it is their problem to fix.
--
Viktor.
