Hi, > You have to compile *with* TLS support enabled. > > make -f Makefile.init CCARGS='-DUSE_TLS' AUXLIBS='-lssl -lcrypto'
Okay, got it to work now. Apparently it wasn't included with my fedora postfix install. >> I looked at my debug trace of the messages delivered successfully, and >> it didn't indicate what cipher was used. Is there a specific debug >> option available to determine this for the next time? > > With 3DES disabled, no cipher is negotiated, the TLS handshake > fails, and Postfix delivers the message in the clear. Just to be sure, you mean TLS is now disabled only to these defective servers because of the faulty 3DES implementation, correct? >> Is it possible to disable it just for this peer? Or is it okay to >> disable 3DES permanently system-wide? > > Yes, you can play whack-a-mole disabling it one server at a time, > but I would suggest disabling it globally. So it will now most likely use RC4 as the next cipher, correct? Thanks, Alex
