[ExchangeList] Re: Fwd: Postfix/Exchange TLS interoperability

  • From: "Michael B. Smith" <michael@xxxxxxxxxxxx>
  • To: <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 24 Oct 2006 14:55:10 -0400

I've emailed several of the relevant people and asked if the problem is
known and whether there is a fix. I don't know if MS employees currently
monitor this list or not.



Exchange MVP


From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
Sent: Tuesday, October 24, 2006 2:38 PM
To: exchangelist@xxxxxxxxxxxxx
Cc: wietse@xxxxxxxxxxxxx; Victor.Duchovni@xxxxxxxxxxxxxxxxx;
Subject: [ExchangeList] Fwd: Postfix/Exchange TLS interoperability


Any Microsoft Exchange employees monitoring this list? If so, you may
want to pay attention to this thread:

A preview of the latest response from Wietse...

---------- Forwarded message ----------
From: Wietse Venema 
Date: Oct 24, 2006 2:27 PM 
Subject: Re: Postfix/Exchange TLS interoperability
To: postfix-users@xxxxxxxxxxx

Victor Duchovni:
> On Mon, Oct 23, 2006 at 10:00:50PM -0400, Victor Duchovni wrote: 
> > There was a recent report of interoperability issues between
> > acting as TLS client, and Postfix acting as a TLS server. I have
> > experienced the converse problem, and the packet capture shows
> > breakage on the Exchange side...
> I have found that this happens when the Postfix SMTP client insists on
> "HIGH" grade ciphers, causing Exchange to negotiate DES-CBC3-SHA,
> it then gets wrong.
> When the Postfix SMTP client proposes both "HIGH" and "MEDIUM"
> ciphers (in that order) the Exchange server overrides the client
> preference and elects RC4-MD5, which does not exhibit the problem. 
> So the trick with at least some versions of the Exchange software is
> allow Exchange to select the RC4-MD5 combination despite the fact that
> both are deprecated (RC4 has a poor key-schedule, and MD5 is no longer

> collision resistant).

Is the Postfix default setting OK for Exchange?

- If yes, then we need to add a warning to Postfix documentation
so that people know bad things may happen when they make a change. 

- If no, then we may have ti change the default. The primary purpose
of Postfix is to deliver mail, not to satisfy purists.


Other related posts: