On 2016 Nov 19, 23:14, Viktor Dukhovni wrote: > On Sat, Nov 19, 2016 at 10:44:11PM +0100, Josh Good wrote: > > > Also, I've been able to replicate the problem, setting up a server with > > Ubuntu 16.10, which defaults to Postfix 3.1.0 as MTA and OpenSSL 1.0.2g > > as crypto subsystem. After I enabled TLS for the smtp client of Postfix, > > I could no longer successfully send email to Exchange 2007 running on > > Windows Server 2003 x64. > > This is surprising, Postfix is expected to retry in cleartext when > a TLS delivery fails. Originally, that retry was immediate, on > the first delivery. More recent versions of Postfix retry after > the message age exceeds the minimum backoff time (so retries > typically happen on the second delivery attempt).
You are, obviously, right. I've more carefully tested again, and in the first sending attempt Postfix tried TLS and failed, and then the message went to the Postfix queue as deferred to be retried later. In this new test I've done, I patiently waited and 9 minutes later Postfix did a second automatic attempt and also tried TLS first, which again failed, but immediately after that it tried to send the message without TLS, which succeeded. Therefore I judged too fast and I was wrong, and you are right. I remember running "postqueue -f" several times and seeing the failed message remain in the queue as deferred with the error message "Cannot start TLS: handshake failure", and then I wrongly assumed the message had entered into a kind of "bad loop". > That's not how Postfix is expected to behave. Please post > configuration and logs. Mind you, Postfix is not the only MTA that > sends email over TLS, and other TLS implementations can be (and > often are) less capable, less forgiving or both. Certainly Postfix is behaving in a quite robust manner. So it must be other MTAs which have recently began exposing the Schannel 64-slot bug in Windows Server 2003. Thank you for your help. -- Josh Good
