On Mon, Jan 05, 2015 at 03:10:49PM +0100, Matthias Schneider wrote: > I noticed that many Exchange Servers nowadays have problems with TLS. Is > there a way to make a fallback to plain if there is a timeout on MAIL FROM?
Postfix 2.12 (almost released, but for now 2.12-20141228 is the latest snapshot) will by default retry in cleartext when TLS data transfer fails, in most cases after initially deferring the message. http://permalink.gmane.org/gmane.mail.postfix.user/243401 http://archives.neohapsis.com/archives/postfix/2013-11/0121.html https://www.ietf.org/mail-archive/web/tls/current/msg10471.html You can configure your SMTP client with: -o tls_export_cipherlist=aNULL+AES128:aRSA+AES128:RC4-SHA:STRENGTH This selects a cipherlist that is something like: AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1 ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256 ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 With RC4-SHA early enough for the 11-year old Microsoft Exchange servers. -- Viktor.
