On Sun, 22 May 2011 22:00:49 -0500, Noel Jones <njo...@megan.vbhcs.org> wrote:
> Is postfix also the client? What are the settings on that > machine? Client machines use Claws Mail as MUA (configured to use SMTP at 587) and those machine have Postfix as the MTA, configured like this: $ sudo postconf -n | grep -v '^smtpd_' | grep 'tls\|sasl\|master\|^my' master_service_disable = inet mydestination = localhost.localdomain, localhost myhostname = desk.localhost.localdomain myorigin = $mydomain smtp_tls_ciphers = high smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > Are you certain you're connecting to the submission port? > adding "-o syslog_name=postfix-submission" or similar to the > master.cf submission entry is helpful. After adding "-o syslog_name=postfix-submission" I get the same result as previously reported: May 23 09:37:36 mx postfix-submission/smtpd[29693]: connect from unknown[192.168.1.60] May 23 09:37:37 mx postfix-submission/smtpd[29693]: setting up TLS connection from unknown[192.168.1.60] May 23 09:37:38 mx postfix-submission/smtpd[29693]: Anonymous TLS connection established from unknown[192.168.1.60]: TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits) May 23 09:37:44 mx postfix-submission/smtpd[29693]: A95E1816B: client=unknown[192.168.1.60], sasl_method=LOGIN, sasl_username=test...@example.org May 23 09:37:45 mx postfix/cleanup[29712]: A95E1816B: message-id=<> May 23 09:37:45 mx postfix/qmgr[29480]: A95E1816B: from=<test...@example.org>, size=507, nrcpt=1 (queue active) May 23 09:37:46 mx postfix-submission/smtpd[29693]: disconnect from unknown[192.168.1.60] > Remove your *_exlude_ciphers entries and let openssl figure it > out itself. It usually does a better job of finding the best > common cipher than you can by hand. Removing smtpd_tls_mandatory_exclude_ciphers and reloading in the receiving server did not help. Doing the same with the smtp_tls_mandatory_exclude_ciphers at the sender machines did not help either In any case setting 'smtpd_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL' should not interfere with postfix ability to choose from the strongest to the weakest of the remaining ciphers (as shown by openssl ciphers -v 'ALL:@STRENGTH') Is it a postfix bug? If so, I wonder what other configs can trigger the selection of weaker ciphers by postfix? Thank you for your time Noel. Best regards, M.