On Wed, Oct 16, 2013 at 10:29:21AM +0200, Michael B?ker wrote:
> > Add "exclude=3DES" to the entry table for this server, and you'll likely
> > be fine. You probably don't need to tweak the protocols.
>
> Adding "exclude=3DES" or "exclude=DES-CBC3-SHA" to the smtp_tls_policy_maps
> file didn't quite do it, maybe because I have
> "smtp_tls_mandatory_ciphers=high"
> set globally. So I used this line, which works for this server:
Yes, of course, the *only* "high" grade cipher supported by Windows
2003 (sans hot-fixes, ...) is 3DES, but it is unusable (buggy).
The strongest working cipher-suite is RC4-SHA, which is "medium".
> > [smtp-auth.foo.de]:587 encrypt ciphers=medium
You should still exclude 3DES, I found that even with RC4-SHA
offered by the client, depending on the exact mix of client protocol
versions, sometimes the server picks 3DES and breaks.
So for this server (de-obfuscated) I'd specify:
[smtp-auth.foo.de]:587 encrypt ciphers=medium exclude=3DES
or with suitable content in "smtp_tls_CAfile" and/or "smtp_tls_CApath"
[smtp-auth.foo.de]:587 secure ciphers=medium exclude=3DES
since one really ought to verify the SSL certificate of a submission
service.
> > exchangerelay unix - - n - - smtp
> > -o smtp_sasl_mechanism_filter=!gssapi,login
To support Exchange MSAs on Windows 2003 generically (less critical
state in per-relay policy entries):
exchangerelay unix - - n - - smtp
-o smtp_sasl_mechanism_filter=login
-o smtp_tls_security_level=secure
-o smtp_tls_mandatory_ciphers=medium
-o smtp_tls_mandatory_exclude_ciphers=3DES
There's no need to explicitly exclude "gssapi" when you've only
included "login". The "!gssapi" syntax is only useful with:
!gssapi, static:all
> > I'd like to suggest that you find a less broken email provider.
>
> Nah, I like my employer. And I know for a fact that they keep their particle
> accelerators in much better shape than their mail servers.
I see, not a consumer-grade provider, rather a corporation with
captive users of a museum-grade legacy infrastructure. :-) In that
case, since it is Oktober, perhaps over a Bier or two suggest that
they consider upgrading their MSAs to something less ancient when
they get a chance.
Postfix is easy to integrate with Active-Directory LDAP for user
validation, and you can enable PLAIN or LOGIN via saslauthd with
PAM as a backend, and a kerberos entry in the PAM entry for SMTP.
Together with a keytab on the server with "host/<fqdn>@REALM"
keys issued from AD it just works.
--
Viktor.
