Hi,
I have a fedora20 system with postfix-2.10.3 and have TLS set up and
working correctly, at least to the best of my ability. We have a user that
would like to send email to a system that apparently doesn't support TLS,
but does support SSL. I'd imagine they are referring to SSLv3.
I'm not specifically excluding any ciphers in my configuration - wouldn't
SSL automatically be supported if it available on the remote system? In
other words, I believe I've set up my system to first try TLS, then SSL,
then plaintext.
I've read the TLS_README again, and I don't see any section specifically
for configuring SSL instead, or in addition to, TLS. I'd appreciate any
ideas on my configuration that could help here.
alias_database = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.ecartis
alias_maps = hash:/etc/postfix/aliases, hash:/etc/postfix/aliases.ecartis
allow_mail_to_files = alias,forward
always_bcc = mail-archive
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_extra_recipient_limit = 1
default_recipient_refill_delay = 10
default_recipient_refill_limit = 50
disable_mime_input_processing = no
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
mydestination = $myhostname, localhost.$mydomain, mail.example.com
mynetworks = 127.0.0.0/8, 64.11.22.0/27
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
readme_directory = /usr/share/doc/postfix/README_FILES
relay_domains = $mydestination, mail.example.com
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /var/www/mail.example.com-443/ssl/gd_bundle.crt
smtp_tls_exclude_ciphers = 3DES
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_recipient_limit = 50
smtpd_recipient_overshoot_limit = 10
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_invalid_helo_hostname,
reject_rhsbl_reverse_client key.dbl.dq.spamhaus.net,
reject_rhsbl_sender key.dbl.dq.spamhaus.net,
reject_rhsbl_helo key.dbl.dq.spamhaus.net
check_client_access hash:/etc/postfix/client_checks,
check_sender_access hash:/etc/postfix/sender_checks,
check_recipient_access pcre:/etc/postfix/local_recip_map,
reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
/var/www/mail.example.com-443/ssl/mail.example.com-cert-2014.crt
smtpd_tls_key_file = /var/www/mail.example.com-443/ssl/key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
submission_overrides = no_unknown_recipient_checks, no_address_mappings,
no_header_body_checks
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
Thanks,
Alex
