On Sun, Mar 13, 2022 at 08:35:02PM +0000, lst_ho...@kwsoft.de wrote:
> We have a Postfix Server Version 3.3 and Openssl 1.1.1 on Ubuntu 18.04
> LTS. One user has the need to send e-mail from an age old Windows XP
> VM used because of a special not any more available software.
Is the user on a fixed IP address from which you can allow
unauthenticated submission? If so, simplest to just avoid TLS.
> I have tried to not deactivate TLS 1.0 as Outlook/XP should be able to
> use this, but i got the error "no shared cipher" in Postfix log. To
> my knowledge XP does not support AES and Openssl 1.1.1 does not
> suggest 3DES or RC4 as far as i can see.
IIRC there were once service packs for XP that make AES available in
TLS, but they are likely not easy to find and deploy these days...
> Are there any settings in Postfix to force RC4/3DES in the Cipherlist
> for TLS 1.0?
No, because the ciphers are disabled in OpenSSL at compile time (the
"no-weak-ssl-ciphers" is enabled by default in the OpenSSL Configure
script).
To re-enable 3DES and RC4 you'd need to build a custom version of
OpenSSL for use with Postfix, in which these ciphers are enabled.
You'll need to make sure that the SONAME of the resulting library
differs from the default SONAME, and the the symbol versions are
also different, so that there's no conflict with the system OpenSSL
library. This is supported via the "shlib_variant" build-template
parameter (rudimentary documentation in Configurations/README):
shlib_variant => A "variant" identifier inserted between the base
shared library name and the extension. On "unixy"
platforms (BSD, Linux, Solaris, MacOS/X, ...) this
supports installation of custom OpenSSL libraries
that don't conflict with other builds of OpenSSL
installed on the system. The variant identifier
becomes part of the SONAME of the library and also
any symbol versions (symbol versions are not used or
needed with MacOS/X). For example, on a system
where a default build would normally create the SSL
shared library as 'libssl.so -> libssl.so.1.1' with
the value of the symlink as the SONAME, a target
definition that sets 'shlib_variant => "-abc"' will
create 'libssl.so -> libssl-abc.so.1.1', again with
an SONAME equal to the value of the symlink. The
symbol versions associated with the variant library
would then be 'OPENSSL_ABC_<version>' rather than
the default 'OPENSSL_<version>'. The string inserted
into symbol versions is obtained by mapping all
letters in the "variant" identifier to upper case
and all non-alphanumeric characters to '_'.
This of course means building your own Postfix as well.
--
Viktor.
