On Sun, Nov 20, 2016 at 02:21:06AM +0100, Josh Good wrote:
> > That's not how Postfix is expected to behave. Please post
> > configuration and logs. Mind you, Postfix is not the only MTA that
> > sends email over TLS, and other TLS implementations can be (and
> > often are) less capable, less forgiving or both.
>
> Certainly Postfix is behaving in a quite robust manner. So it must be
> other MTAs which have recently began exposing the Schannel 64-slot bug
> in Windows Server 2003.
Good to hear everything is working as designeed and implemented.
The Postfix philosophy is to not cut corners, do it right, or not
at all.
Yes, there are other MTAs that are known to not retry in cleartext,
or only retry on handshake failure, and not data transfer failure.
With Exchange 2003 often completing handshake that negotiates an
ultimately non-working 3DES cipher, you get data transfer failures.
Given that Exchange on Windows 2003 only supports RC4 and 3DES,
both of which are deprecated in TLS. There's not much point in
continuing to offer TLS to the unwashed masses. Such servers
can only do TLS with specially configured front-end proxies
that terminate a more modern TLS connection, and then use
the obsolete TLS ciphers on the back-haul.
> Thank you for your help.
You're welcome. Thanks for following up and clearing any doubt
that the implementation is correct.
--
Viktor.
