some "to old" tls clients wil fail with postfix. I dont know if the use
DHE.
and its NOT a postfix error.
what happens is, why client-server are changing keys, the client
closes the connection.
and a message appears in your log, server closed connection and no
mail is recieved.
old windows exchange servers and some lotus notes server have this
problem, maybe more, i dont know that.
for these the only workaround, as far i know is, dont show the
STARTTLS.
info here :
http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
## used to disable buggy clients of with fautly TLS/SSL clients
1.2.3.4 STARTTLS
which means..
Dont show STARTTLS for that ip.
needed for older clients,y ou could also
add in main.cf : in smtpd_client_restrictions, just after
permit_mynetworks:
smtpd_discard_ehlo_keyword_address_maps =
cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr
maybe there are better solutions for this, but this works for me.
If you have to be compatible with e.g. Exchange 2003, then take a look
at Viktors post about "Updated to recommended TLS settings" a few weeks
ago
http://postfix.1071664.n5.nabble.com/Update-to-recommended-TLS-settings-tt78583.html#none
A different posting about tls was on the list following the logjam
vulnerability, you can find here:
http://postfix.1071664.n5.nabble.com/Security-amp-Compatibility-tt77035.html
regards
- christian
Greetz,
Louis
