lst_ho...@kwsoft.de wrote: > we have a Postfix Server Version 3.3 and Openssl 1.1.1 on Ubuntu 18.04 LTS. > One user has the need to send e-mail from an age old Windows XP VM used > because of a special not any more available software. I have tried to not > deactivate TLS 1.0 as Outlook/XP should be able to use this, but i got the > error "no shared cipher" in Postfix log. To my knowledge XP does not support > AES and Openssl 1.1.1 does not suggest 3DES or RC4 as far as i can see. > Are there any settings in Postfix to force RC4/3DES in the Cipherlist for > TLS 1.0?
If it were me I would be inclined to do one of these following things. I assume the Windows XP is on a private LAN, because otherwise much badness. In which case I would add that LAN subnet to "mynetworks" and allow it through using permit_mynetworks. Or use one of the other check_client_access methods. And not use TLS with that client host at all. Much simpler. If it is all internal to your network then I don't see any reason for TLS to be involved at all. If one wants to keep the main mail relay free of these types of entanglements with special configurations then I might set up an additional auxilary mail relay host specifically to collect up mail from these special purpose dedicated clients and then relay it on to the main mail relay. This auxilary system could then hold all of the special legacy connectivity configuration for these special clients. It would be a way to delegate configuration responsibility for them. It could then relay the mail on to the main mail relay as you prefer. That could even be a long haul across the Internet WAN using TLS with certificates and everything. Bob
