On Fri, Apr 11, 2014 at 01:30:43PM -0500, Bill Lewis wrote:
> We are encountering problems sending to certain servers are enforcing
> the renego TLS patch.
What do you mean by "renego TLS patch"? What specific servers?
> Our postfix instances do a TLS negotiation but
> then defer the message with an EHLO handshake error.
What version of OpenSSL are you using? When the TLS handshake
fails, Postfix generally retries in cleartext, why is the mail
deferred? What is your tls policy for these destinations? Logs?
> Should this be working in Postfix v2.9+?
Postfix does not do implement the SSL protocol, that's done by
OpenSSL. If you can get "openssl s_client -starttls smtp -connect
host:25" to work, Postfix will also work (modulo rare cipher-suite
list tweaks). If s_client(1) does not work, Postfix is unlikely
to have much more luck.
> Or is there something we can set to allow this for some domains.
What is "this"?
> Right now, I have used a tls_policy to not do
> any TLS with them to send the mail through but was wondering if there
> is a way to support TLS client-side or if it should be working.
You're using words I know to construct sentences that I cannot
understand. I am afraid you'll need to be much less cryptic.
--
Viktor.
