On Wed, Sep 11, 2013 at 10:03:52PM +0200, DTNX Postmaster wrote:
> >> The odd thing is that both banks drop to RC4-MD5 when sending to
> >> us. I've seen this on another product that we support ourselves as
> >> well; the Postfix client negotiates a higher protocol level and
> >> better cipher for outgoing mail than the server does for incoming
> >> mail. There is probably a good reason for this, but it feels to me
> >> like they should support the same protocol and cipher level regardless
> >> of direction?
> >
> > I am not surprised.
>
> In our own case though this is with current software, a direct
> connection without firewall tomfoolery and whatnot. I shall see if
> their support department can explain it to me and satisfy my curiosity
> as to what causes the difference.
One thing too keep in mind is that in many cases servers honour
client cipher preferences. When your SMTP client connects to their
server the cipher-suite chosen is the highest on your preference
list that they support. When their client connects to your server
the cipher-suite chosen is the highest on their preference list
that you support. The two cipher-suites need not be the same even
with the same software on their side sending and receiving.
http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist
--
Viktor.
