On Mon, Jul 20, 2015 at 12:06:39PM -0400, Harald Koch wrote:
> In my case It turned out to be me being incredibly stupid; I had
>
> smtpd_tls_mandatory_exclude_ciphers = RC4
A sensible setting to make sure that submission clients (port 587,
where TLS should be mandatory) using AUTH PLAIN are protected,
while MTA-to-MTA traffic on port 25 interoperates with legacy
systems.
> instead of
>
> smtpd_tls_exclude_ciphers = RC4
Shame on Yahoo for preferring RC4. You might instead leave RC4
in, but use your server's preferred cipher order.
tls_preempt_cipherlist = yes
http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist
> yahoo.com is using AES128 now.
You'll get the same result, without losing interop with RC4-only
systems (if any) via the above. However, you'll still break Exchange
2003, unless you arrange to rank 3DES below RC4, or disable 3DES
(don't know of any systems that have working 3DES and support just
that and RC4).
Therefore, to avoid using RC4 when possible, without breaking the
remaining Exchange 2003 systems:
smtpd_tls_exclude_ciphers = 3DES
tls_preempt_cipherlist = yes
--
Viktor.
