On Sun, 22 May 2011 22:00:49 -0500, Noel Jones <njo...@megan.vbhcs.org>
wrote:
> Is postfix also the client? What are the settings on that
> machine?
Client machines use Claws Mail as MUA (configured to use SMTP at 587)
and those machine have Postfix as the MTA, configured like this:
$ sudo postconf -n | grep -v '^smtpd_' | grep 'tls\|sasl\|master\|^my'
master_service_disable = inet
mydestination = localhost.localdomain, localhost
myhostname = desk.localhost.localdomain
myorigin = $mydomain
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> Are you certain you're connecting to the submission port?
> adding "-o syslog_name=postfix-submission" or similar to the
> master.cf submission entry is helpful.
After adding "-o syslog_name=postfix-submission" I get the same result
as previously reported:
May 23 09:37:36 mx postfix-submission/smtpd[29693]: connect from
unknown[192.168.1.60] May 23 09:37:37 mx
postfix-submission/smtpd[29693]: setting up TLS connection from
unknown[192.168.1.60] May 23 09:37:38 mx
postfix-submission/smtpd[29693]: Anonymous TLS connection established
from unknown[192.168.1.60]: TLSv1 with cipher DHE-RSA-AES128-SHA
(128/128 bits) May 23 09:37:44 mx postfix-submission/smtpd[29693]:
A95E1816B: client=unknown[192.168.1.60], sasl_method=LOGIN,
sasl_username=test...@example.org May 23 09:37:45 mx
postfix/cleanup[29712]: A95E1816B: message-id=<> May 23 09:37:45 mx
postfix/qmgr[29480]: A95E1816B: from=<test...@example.org>, size=507,
nrcpt=1 (queue active) May 23 09:37:46 mx
postfix-submission/smtpd[29693]: disconnect from unknown[192.168.1.60]
> Remove your *_exlude_ciphers entries and let openssl figure it
> out itself. It usually does a better job of finding the best
> common cipher than you can by hand.
Removing smtpd_tls_mandatory_exclude_ciphers and reloading in the
receiving server did not help.
Doing the same with the smtp_tls_mandatory_exclude_ciphers at the
sender machines did not help either
In any case setting 'smtpd_tls_mandatory_exclude_ciphers = AES128, DES,
MD5, aNULL' should not interfere with postfix ability to choose from
the strongest to the weakest of the remaining ciphers (as shown by
openssl ciphers -v 'ALL:@STRENGTH')
Is it a postfix bug? If so, I wonder what other configs can trigger
the selection of weaker ciphers by postfix?
Thank you for your time Noel.
Best regards,
M.
