Hi, > $ posttls-finger -c -lmay -Lsummary -o tls_medium_cipherlist=DES-CBC3-SHA > "[66.252.104.194]" > posttls-finger: Connected to 66.252.104.194[66.252.104.194]:25 > posttls-finger: Untrusted TLS connection established to > 66.252.104.194[66.252.104.194]:25: unknown with cipher DES-CBC3-SHA (168/168 > bits) > posttls-finger: warning: TLS library problem: 1748:error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version > number:/home/builds/ab/HEAD/src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:339: > posttls-finger: warning: lost connection while sending QUIT command
I've just downloaded this and compiled it on my system, but it says invalid options: # posttls-finger -c -lmay -Lsummary -o tls_medium_cipherlist=DES-CBC3-SHA "[66.252.104.194]" posttls-finger: invalid option -- 'l' The -L is also not available: # posttls-finger usage: posttls-finger [-acStTv] [-h host_lookup] [-o name=value] destination > Postfix falls back to plain-text when STARTTLS or the SSL handshake > fails, but here, the failure is triggered by garbage after the > encrypted EHLO response, which breaks the SSL records containing > MAIL FROM:. We don't fallback to plaintext after the mail transaction > begins. Just to be sure I understand, you're saying that because 3DES had begun then failed, the connection is just closed, correct? > Perhaps the simplest work-around is to disable 3DES. Generally, > servers other than Microsoft Exhange 2003 support AES. And with > Microsoft Exchage 2003, disabling 3DES means that either we get > RC4 (and succeed) or get no common ciphers and fail early (during > the handshake), and thus fallback to plaintext. I've now done this, and it worked. I looked at my debug trace of the messages delivered successfully, and it didn't indicate what cipher was used. Is there a specific debug option available to determine this for the next time? > So we could set a default value of "smtp_tls_exclude_ciphers = 3DES". Is it possible to disable it just for this peer? Or is it okay to disable 3DES permanently system-wide? Thank you for all that you do. Alex
