On 2016 Nov 20, 01:38, Viktor Dukhovni wrote: > Given that Exchange on Windows 2003 only supports RC4 and 3DES, > both of which are deprecated in TLS. There's not much point in > continuing to offer TLS to the unwashed masses. Such servers > can only do TLS with specially configured front-end proxies > that terminate a more modern TLS connection, and then use > the obsolete TLS ciphers on the back-haul.
Hello again. I've some good news: I've been able to successfully send email using TLS encryption in the SMTP transfer from Ubuntu 16.10 Server, with its standard supplied Postfix 3.1.0 and OpenSSL 1.0.2g packages, to Exchange 2007 running on Windows Server 2003 x64 (and also to Exchange 2003 running on Windows Server 2003 x86, as I still have one holdout client on that platform), without having to fine-tune Postfix's smtp client TLS configuration at the sending side of the SMTP transaction. The trick is installing hotfix KB948963, provided by Microsoft for Windows Server 2003 on year 2008. That hotfix provides the cipher suites: TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA for the Schannel crypto subsystem in Windows Server 2003. URL for that hotfix: https://support.microsoft.com/en-us/kb/948963 If you care to check my first post to this thread, you will find that those cipher suits appear in slots 30 and 31, respectively, in the list of supported cipher suites provided by the remote SMTP client in the STARTTLS SMTP negotiation handshake against Windows Server 2003. Because this does not trigger the 64-slot bug in the Schannel crypto subsystem of Windows Server 2003, the TLS handshake in successful, and the email is received successfully in Exchange 2007 (and in Exchange 2003) using TLS for the SMTP transfer. In the logs of the SMTP sending side (Ubuntu), I see this in /var/log/mail when the email is in this way successfully sent to Exchange 2003/2007 on Windows Server 2003 with TLS: "Untrusted TLS connection established to XXXX.example.com[YYY.YYY.YYY.YYY]:25: TLSv1 with cipher AES256-SHA (256/256 bits)" Now, having said that, there is a gotcha: the URL for the hotfix offers a "Hotfix download available" button, which simply put does NOT work. Microsoft seems to have silently retired that hotfix from general availability. That is bad news for those of us who have to deal with customers "not easily amenable to paying for upgrades", if you know what I mean... But there is a workaround: the hotfix is available for download from an unofficial third party: --> for Windows Server 2003 x86 in English: http://thehotfixshare.net/board/index.php?showtopic=11015&hl=948963 --> for Windows Server 2003 x64 in English: http://thehotfixshare.net/board/index.php?showtopic=11014&hl=948963 OK, so we are now navigating muddy waters, so to speak. If you download the hotfix from that source, then go straight ahead to www.virustotal.com and check it against their online multi-antivirus service. It should come out clean with 0 results. For the benefit of fellow netizens in a similar harsh position as I was, I'll publish here the MD5 and SHA-2 hashes of the hotfix as downloaded from http://thehotfixshare.net and which has been tested by me to work fine: $ md5sum WindowsServer2003-KB948963-x86-ENU.exe 390623b50e3a10e72129c4d62e4768c3 WindowsServer2003-KB948963-x86-ENU.exe $ sha256sum WindowsServer2003-KB948963-x86-ENU.exe 6cb30cb92bff640992366f68978afaa61a984ca7683362b62c5271114ca15163 WindowsServer2003-KB948963-x86-ENU.exe $ md5sum WindowsServer2003.WindowsXP-KB948963-x64-ENU.exe 28002524ecdb2a4a4e8bd15438976123 WindowsServer2003.WindowsXP-KB948963-x64-ENU.exe $ sha256sum WindowsServer2003.WindowsXP-KB948963-x64-ENU.exe 973a60f5408632d602db59db7b075ec18bbdbf0c38c4821c19265d4c8bc27168 WindowsServer2003.WindowsXP-KB948963-x64-ENU.exe I hope all of this may be of some help to someone. -- Josh Good
