Jerry:
> FreeBSD-8.2 STABLE
> Postfix (2.10-20120422)
> OpenSSL 1.0.1a 19 Apr 2012
>
> I just updated to the latest devel version of Postfix and openssl-1.0.1a.
>
> Following the instructions (I think correctly) on this list, I created the
> following file:
>
> cat tls_policy
> hotmail.com may protocols=!SSLv2:!TLSv1.1:!TLS1.2
>
> I check it as so:
>
> postmap -q hotmail.com ./tls_policy
> may protocols=!SSLv2:!TLSv1.1:!TLS1.2
TLS1.2 is an invalid protocol name. Postfix will not send STARTTLS,
disconnect, and make a plaintext connection if permitted.
Apr 24 11:11:27 spike postfix/smtp[19134]: warning:
65.55.96.11[65.55.96.11]:25: Invalid TLS protocol list
"!SSLv2:!TLSv1.1:!TLS1.2": aborting TLS session
So your logs don't match the configuration.
I have verified that Postfix + OpenSSL 1.0.1a fails to communicate
with 65.55.96.11 with "default" settings, but succeeds when I disable
TLSv1.2 (with smtp_tls_policy_maps or with smtp_tls_protocols).
If you can't make it work with the policy table, simply specify in
main.cf:
smtp_tls_protocols = !SSLv2,!TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2,!TLSv1.2
I don't see STARTTLS support on the MX hosts for hotmail.com, so I
wonder why you ended up talking to 65.55.96.11.
Wietse
