On Sat, Nov 19, 2016 at 10:44:11PM +0100, Josh Good wrote:
> This bug in SChannel (the SSL/TLS subsystem in Windows) in Windows
> Server 2003 is well known:
Indeed, it has been well known now for approximately a decade.
> Also, I've been able to replicate the problem, setting up a server with
> Ubuntu 16.10, which defaults to Postfix 3.1.0 as MTA and OpenSSL 1.0.2g
> as crypto subsystem. After I enabled TLS for the smtp client of Postfix,
> I could no longer successfully send email to Exchange 2007 running on
> Windows Server 2003 x64.
This is surprising, Postfix is expected to retry in cleartext when
a TLS delivery fails. Originally, that retry was immediate, on
the first delivery. More recent versions of Postfix retry after
the message age exceeds the minimum backoff time (so retries
typically happen on the second delivery attempt).
To understand why this might not have happened in your test, you
need to post the "postconf -n" output from your test rig, and
complete logs of two or more "natural" (not forced by "postfix
flush") delivery attempts (as produced by e.g. "collate.pl") for
a message that was not redelivered on the second try.
> Instead, the outgoing messages got queued in
> Postfix with the error message: "Cannot start TLS: handshake failure";
> and eventually some days later they will expire and be deleted from the
> Postfix queue never reaching their recipient.
That's not how Postfix is expected to behave. Please post
configuration and logs. Mind you, Postfix is not the only MTA that
sends email over TLS, and other TLS implementations can be (and
often are) less capable, less forgiving or both.
> Therefore, no more "opportunistic SSL/TLS" for external senders trying
> to send email to my customers' Exchange 2007 systems -- from now on,
> all incoming email from the Internet will be received "encrypted" in
> plain text.
Yes, Exchange 2007 or earlier on Windows 2003 is no longer "fit
for purpose", at least with respect to TLS. There used to be
"hotfix" updates that provide AES support for Windows 2003. You'll
likely have a hard time obtaining them now.
--
Viktor.
