[ExchangeList] Re: Fwd: Postfix/Exchange TLS interoperability

• From: "Michael B. Smith" <michael@xxxxxxxxxxxx>
• To: <exchangelist@xxxxxxxxxxxxx>
• Date: Tue, 24 Oct 2006 14:55:10 -0400

I've emailed several of the relevant people and asked if the problem is
known and whether there is a fix. I don't know if MS employees currently
monitor this list or not.

 

Michael

Exchange MVP

 

From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
Sent: Tuesday, October 24, 2006 2:38 PM
To: exchangelist@xxxxxxxxxxxxx
Cc: wietse@xxxxxxxxxxxxx; Victor.Duchovni@xxxxxxxxxxxxxxxxx;
Ehloidea@xxxxxxxxxxxxx
Subject: [ExchangeList] Fwd: Postfix/Exchange TLS interoperability

 

Any Microsoft Exchange employees monitoring this list? If so, you may
want to pay attention to this thread:
<http://archives.neohapsis.com/archives/postfix/2006-10/thread.html#1497
>

A preview of the latest response from Wietse...

---------- Forwarded message ----------
From: Wietse Venema 
Date: Oct 24, 2006 2:27 PM 
Subject: Re: Postfix/Exchange TLS interoperability
To: postfix-users@xxxxxxxxxxx

Victor Duchovni:
> On Mon, Oct 23, 2006 at 10:00:50PM -0400, Victor Duchovni wrote: 
>
> > There was a recent report of interoperability issues between
Exchange
> > acting as TLS client, and Postfix acting as a TLS server. I have
just
> > experienced the converse problem, and the packet capture shows
severe 
> > breakage on the Exchange side...
>
> I have found that this happens when the Postfix SMTP client insists on
> "HIGH" grade ciphers, causing Exchange to negotiate DES-CBC3-SHA,
which 
> it then gets wrong.
>
> When the Postfix SMTP client proposes both "HIGH" and "MEDIUM"
strength
> ciphers (in that order) the Exchange server overrides the client
cipher
> preference and elects RC4-MD5, which does not exhibit the problem. 
>
> So the trick with at least some versions of the Exchange software is
to
> allow Exchange to select the RC4-MD5 combination despite the fact that
> both are deprecated (RC4 has a poor key-schedule, and MD5 is no longer

> collision resistant).

Is the Postfix default setting OK for Exchange?

- If yes, then we need to add a warning to Postfix documentation
so that people know bad things may happen when they make a change. 

- If no, then we may have ti change the default. The primary purpose
of Postfix is to deliver mail, not to satisfy purists.

        Wietse

• » [ExchangeList] Fwd: Postfix/Exchange TLS interoperability
• » [ExchangeList] Re: Fwd: Postfix/Exchange TLS interoperability

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription