Hi, > > I have a fedora20 system with postfix-2.10.3 and have TLS set up and > > working correctly, at least to the best of my ability. We have a user that > > would like to send email to a system that apparently doesn't support TLS, > > but does support SSL. I'd imagine they are referring to SSLv3. > > No. The user is referring to submission via port 465 "smtps", > which unlike port 587 STARTTLS, is SMTP wrapped in SSL immediately > after the TCP 3-way handshake, rather than negotiated after EHLO. > > Postfix by default interoperates with SMTP servers that support > only SSLv3. > > > I'm not specifically excluding any ciphers in my configuration - wouldn't > > SSL automatically be supported if it available on the remote system? > > Yes, though if you make SSL/TLS mandatory (via smtp_tls_policy_maps > and the "encrypt" or "secure" levels) then some weaker ciphers are > excluded by default.
Okay, just to be sure I understand this correctly, I need to still configure my server to be both an smtps server as well as a client to an smtps server so it can transport the message from the user's client to my server, then to the remote system, correct? > > In > > other words, I believe I've set up my system to first try TLS, then SSL, > > then plaintext. > > No, you have a system that tries STARTTLS, then plaintext. During > the SSL/TLS handshake the Postfix SMTP client will advertise support > for a range of SSL protocol versions from SSLv3 up-to TLSv1.2 if > your SSL library supports that. Is trying STARTTLS then plaintext the proper way to do it, or am I missing something? > > smtp_tls_CAfile = /var/www/mail.example.com-443/ssl/gd_bundle.crt > > I would leave this empty, you're not checking certificates, so > loading a CAfile is a waste of CPU cycles. > > > smtp_tls_exclude_ciphers = 3DES > > Only needed for some Microsoft Exchange 2003 servers, but OK to > enable globally unless you're talking to some servers that only > support 3DES. > > > smtp_tls_note_starttls_offer = yes > > Not needed. > > > smtp_use_tls = yes > > Set "smtp_tls_security_level = may" instead. I have that as well. Should I just comment out smtp_use_tls? > > smtpd_tls_loglevel = 2 > > Too verbose, use "1" instead of "2". > > Finally, you've posted no logs, leaving everyone on this list blind > to the actual problem. If you want help post logs that detail the > problem you're having. I'm not sure I'm explaining myself properly. The issue is that we have a client, which I assume would be Outlook, that would like to connect to my postfix server to send a remote system an encrypted email that only supports SSL. This is why I described above that I thought I would need to set up smtps on my system, then somehow configure my system to try SSL after the default TLS, which isn't supported on the remote system. Thanks so much, as always. Alex
