On 21 Jul 2015, at 17:34, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Tue, Jul 21, 2015 at 09:49:01AM +0200, A. Schulze wrote: > >>> Should I remove "smtpd_tls_mandatory_exclude_ciphers = 3DES" >>> and look how the cipher use change over the next days ? >> >> immediately after I removed "smtpd_tls_mandatory_exclude_ciphers = 3DES" >> some servers fail to establish TLS. At least one was a Exchange 2010 Version >> 14.03... > > Did the handshake fail, or did data transfer with 3DES as the cipher > fail? Perhaps they are using a new version of Exchange on an > otherwise rather dated server, whose Schannel library still has > broken 3DES (though I'd always guessed that the problem was in how > Exchange uses Schannel, rather than an Schannel bug, I don't really > know which is to blame). AFAIK, the 3DES bug, which I haven't seen in ages, occurs with Exchange 2003 on Windows Server 2003, possibly also Windows Server 2000. Exchange 2010 requires 64-bit Windows Server 2008 as the minimum platform, which is actively supported, and should not use 3DES over other ciphers by default, provided the receiving server is correctly configured. Mvg, Joni
