I've emailed several of the relevant people and asked if the problem is known and whether there is a fix. I don't know if MS employees currently monitor this list or not. Michael Exchange MVP From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny Sent: Tuesday, October 24, 2006 2:38 PM To: exchangelist@xxxxxxxxxxxxx Cc: wietse@xxxxxxxxxxxxx; Victor.Duchovni@xxxxxxxxxxxxxxxxx; Ehloidea@xxxxxxxxxxxxx Subject: [ExchangeList] Fwd: Postfix/Exchange TLS interoperability Any Microsoft Exchange employees monitoring this list? If so, you may want to pay attention to this thread: <http://archives.neohapsis.com/archives/postfix/2006-10/thread.html#1497 > A preview of the latest response from Wietse... ---------- Forwarded message ---------- From: Wietse Venema Date: Oct 24, 2006 2:27 PM Subject: Re: Postfix/Exchange TLS interoperability To: postfix-users@xxxxxxxxxxx Victor Duchovni: > On Mon, Oct 23, 2006 at 10:00:50PM -0400, Victor Duchovni wrote: > > > There was a recent report of interoperability issues between Exchange > > acting as TLS client, and Postfix acting as a TLS server. I have just > > experienced the converse problem, and the packet capture shows severe > > breakage on the Exchange side... > > I have found that this happens when the Postfix SMTP client insists on > "HIGH" grade ciphers, causing Exchange to negotiate DES-CBC3-SHA, which > it then gets wrong. > > When the Postfix SMTP client proposes both "HIGH" and "MEDIUM" strength > ciphers (in that order) the Exchange server overrides the client cipher > preference and elects RC4-MD5, which does not exhibit the problem. > > So the trick with at least some versions of the Exchange software is to > allow Exchange to select the RC4-MD5 combination despite the fact that > both are deprecated (RC4 has a poor key-schedule, and MD5 is no longer > collision resistant). Is the Postfix default setting OK for Exchange? - If yes, then we need to add a warning to Postfix documentation so that people know bad things may happen when they make a change. - If no, then we may have ti change the default. The primary purpose of Postfix is to deliver mail, not to satisfy purists. Wietse