On Tue, Nov 26, 2013 at 09:37:13PM -0500, Alex wrote:
> > You have to compile *with* TLS support enabled.
> >
> > make -f Makefile.init CCARGS='-DUSE_TLS' AUXLIBS='-lssl -lcrypto'
>
> Okay, got it to work now. Apparently it wasn't included with my fedora
> postfix install.
Not surprising, posttls-finger(1) is only available with Postfix
2.11 snapshots. And so far, Wietse is not planning to add this
utility to the list of command utilities that are installed by
default. So to use it, you have to build it from source like you
did.
> > With 3DES disabled, no cipher is negotiated, the TLS handshake
> > fails, and Postfix delivers the message in the clear.
>
> Just to be sure, you mean TLS is now disabled only to these defective
> servers because of the faulty 3DES implementation, correct?
Yes, just to the defective servers.
> > Yes, you can play whack-a-mole disabling it one server at a time,
> > but I would suggest disabling it globally.
>
> So it will now most likely use RC4 as the next cipher, correct?
No, TLS will fail to the defective servers, but this will be during
the handshake, so Postfix will fallback to plaintext. If you must
encrypt traffic to these servers, you need per-destination policy.
Search the archives for details posted in the last month or so.
--
Vikor.
