On 29 Apr 2015, at 14:53, Birta Levente <blevi.li...@gmail.com> wrote:
> Hello > > I see many SSL_connect error for different domains which mail service hosted > at microsoft: > > Apr 28 10:32:12 srv1 postfix/smtp[18296]: SSL_connect error to > irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection > Apr 28 10:32:12 srv1 postfix/smtp[18296]: 3lbZRv0VXQz1lvjB: > to=<xxxxx...@irs.ro>, relay=irs-ro.mail.eo.outlook.com[213.199.154.87]:25, > delay=1.1, delays=0.14/0.37/0.56/0, dsn=4.7.5, status=deferred (Cannot start > TLS: handshake failure) > > After a few tries postfix send the message in plain. > > Looked at the mailing list archive I resolved with smtp_tls_policy_maps = > hash:/etc/postfix/tls_policy: > > tls_policy: > irs.ro may protocols=TLSv1 ciphers=medium exclude=3DES:MD5 > > > But all this domains have MX record pointed to > something.othersomething.outlook.com, so I wonder if there is a method to > apply this policy like that: > > [.outlook.com]:25 may protocols=TLSv1 ciphers=medium exclude=3DES:MD5 Have you tried just turning off your override? The receiving server does not support your excluded cipher anyway; == Target: irs-ro.mail.eo.outlook.com:25 prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-384,384bits 2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-384,384bits 4 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 5 AES256-SHA256 TLSv1.2 6 AES128-SHA256 TLSv1.2 7 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 8 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 9 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 10 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 11 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature TLS ticket lifetime hint: None OCSP stapling: not supported Server side cipher ordering == And it should negotiate the strongest possible cipher just fine. Ours negotiate the first in the list, and if your OpenSSL doesn't support TLSv1.2 yet you should see either #3 or #7. Mvg, Joni
