On 8/11/2014 3:01 PM, Alex wrote: > Hi, > I have a fedora20 system with postfix-2.10.3 and have TLS set up and > working correctly, at least to the best of my ability. We have a > user that would like to send email to a system that apparently > doesn't support TLS, but does support SSL. I'd imagine they are > referring to SSLv3.
Postfix supports SSL and TLS via the STARTTLS parameter. You shouldn't have to do anything special to talk to a system that supports SSLv3 via STARTTLS. > > I'm not specifically excluding any ciphers in my configuration - > wouldn't SSL automatically be supported if it available on the > remote system? In other words, I believe I've set up my system to > first try TLS, then SSL, then plaintext. Yes, that's the default. It should "just work" unless the user is really referring to wrappermode smtps. Some systems don't accept STARTTLS but can use the long-deprecated "wrappermode" smtps, typically on port 465. Usually this is reserved for authenticated user submission, but I suppose some systems might accept general MX traffic over smtps. For historical reasons, sometimes this wrappermode is referred to as SSL even though the encryption might actually be TLS. That may be what your user is referring to. If you need to set up a wrappermode smtps channel to the antique server, instructions can be found here: http://www.postfix.org/TLS_README.html#client_smtps but I'm not sure it's worth the trouble... -- Noel Jones
