On Tue 15.10.13 15:18:06 Viktor Dukhovni wrote: > The server in question is a Microsoft Exchange server with buggy 3DES > ciphersuites (IIRC found in Windows XP, and perhaps Windows Server 2003). > > Add "exclude=3DES" to the entry table for this server, and you'll likely > be fine. You probably don't need to tweak the protocols.
Adding "exclude=3DES" or "exclude=DES-CBC3-SHA" to the smtp_tls_policy_maps file didn't quite do it, maybe because I have "smtp_tls_mandatory_ciphers=high" set globally. So I used this line, which works for this server: > [smtp-auth.foo.de]:587 encrypt ciphers=medium The next problem was the error: "5.7.3 Authentication unsuccessful", which appears to be unique for Exchange servers. Google suggested a broken GSSAPI implementation on the server side that should be excluded. That leaves only LOGIN in this case, which my config doesn't seem to allow for ciphers=medium. Globally allowing LOGIN with smtp_sasl_mechanism_filter worked, but I didn't want that. So I defined a new transport in master.cf: > exchangerelay unix - - n - - smtp -o smtp_sasl_mechanism_filter=!gssapi,login and configured postfix to use a sender_dependent_default_transport_maps that contains this line: > michael.bue...@foo.de exchangerelay: Now, everything works. Phew. I might still combine the sender_dependent_default_transport_maps with my sender_dependent_relayhost_maps so I don't have to maintain both files. Come to think of it: Couldn't I combine the single line in smtp_tls_policy_maps into the transport definition and save one more file? > Fortunately, your over-obfuscation of the target server left me with only > 224 choices of the target IP address. Thanks for the effort you put in. I wasn't trying to be smart, I just sought to avoid angering the admin overlords at foo by publicly discussing their mail server. > I'd like to suggest that you find a less broken email provider. Nah, I like my employer. And I know for a fact that they keep their particle accelerators in much better shape than their mail servers. Cheers, Michael
