On Oct 15, 2013, at 17:18, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Tue, Oct 15, 2013 at 12:21:28PM +0200, Michael B?ker wrote: > >>> Oct 15 02:30:04 asterix postfix/smtp[4458]: warning: TLS library problem: >>> 4458:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version >>> number:s3_pkt.c:337: >>> >>> Oct 15 02:30:04 asterix postfix/smtp[4458]: 42E021A0F44: to=<mb@michael- >>> bueker.de>, relay=smtp-auth.foo.de[999.169.5.134]:587, delay=0.51, >>> delays=0.08/0.03/0.4/0, dsn=4.4.2, status=deferred (lost connection with >>> smtp-auth.foo.de[999.169.5.134] while performing the EHLO handshake) >> >> Now, I _think_ the tls_policy entry is correct, because if I set if to >> something absurd like "protocols=SSLv2", the connection fails predictably: > > Note the "while performing the EHLO handshake" detail. This means > the TLS handshake succeeded, but the subsequent SMTP commands failed > inside the encrypted channel. Fortunately, your over-obfuscation > of the target server left me with only 224 choices of the target > IP address. The server in question is a Microsoft Exchange server > with buggy 3DES ciphersuites (IIRC found in Windows XP, and > perhaps Windows Server 2003). Yes on Windows 2003 Server. It's possible to add the AES ciphersuites to Window 2003 in theory, but it's one of them 'not really supported hotfix' type things. When we last tried to get it working for a client it simply did not work. For our particular situation, this provides a workaround for the few more months we'll need to support Exchange 2003 on the backend; smtp_tls_exclude_ciphers = DES-CBC3-SHA YMMV, of course. Mvg, Joni
