On Tue, Feb 11, 2014 at 08:06:17PM +0100, li...@rhsoft.net wrote:
> and that is why i hours ago posted the *client* configuration
> of the machine happily sends authenticated mail over TLS to
> exchange
>
> smtp_use_tls = yes
Obsolete.
> smtp_tls_loglevel = 1
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Leaving it blank is better. The browser CA bundle has no relevance
to SMTP.
> smtp_tls_security_level = may
Correct.
> smtp_tls_note_starttls_offer = yes
Pointless, since the security level is "may".
> smtp_tls_session_cache_timeout = 3600s
> smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
Better to use ${data_directory} instead of explicit /var/lib/postfix.
> smtp_tls_exclude_ciphers = DES-CBC3-SHA, DES-CBC3-MD5, ADH-DES-CBC3-SHA,
> ADH-DES-CBC3-MD5, EDH-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-MD5, DES, DES+MD5
If one wants to exclude 3DES and DES, it is far easier to set:
smtp_tls_exclude_ciphers = 3DES DES
which covers all the above much more concisely. I imagine this is
intended to avoid CBC problems with Microsoft Exchange 2003.
--
Viktor.
