-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 2015-06-23 at 20:16 +0000, Phil Pennock wrote: > A key issue though is that by default, Exim will fall back to > unencrypted because encryption to MX is opportunistic.
Sendmail as a client sends EHLO, receives an offer of STARTTLS, sends STARTTLS command and uses openssl to switch to an encrypted connection. When openssl fails the handshake, sendmail just temp fails 403 the attempt and requeues the mail. In particular, sendmail does not immediately retry without STARTTLS, leading to an eventual delivery failure - by default 5 days later. Does Exim (immediately or delayed) retry that connection and (temporarily or permanently) ignore the offer of STARTTLS? Does anyone know the behavior of Postfix or other software in this circumstance? What is the "correct" behavior in this case? The recipient is offering an encrypted channel that we cannot (well, will not) use. If everyone backs off and sends plain text, the recipient will never realize that they should upgrade their DH parameters. We can easily write a script to tail the log files and automatically add "Try_TLS:server NO" entries to /etc/mail/access. But should we? Given how widespread Redhat EL5/6/7 servers are, the inability of RHEL6/7 to send mail to RHEL5 servers that have enabled TLS is surprising. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlWLG9sACgkQL6j7milTFsGErQCfYEAlCh+rhjIVYBz9iw/hzsgU OloAmwUZ/9HOrLdNyXDVOxOXBa78jnAg =6NjB -----END PGP SIGNATURE----- _______________________________________________ mailop mailing list [email protected] http://chilli.nosignal.org/mailman/listinfo/mailop
