See http://www.ietf.org/rfc/rfc2246.txt for the TLS RFC

Brief background on how this works from the RFC.

Example scenario:

Customer needs to enforce TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite while sending to FOPE or some comparable all 256 bit level suite for both symmetric and hashing algorithms.

Sending a cipher suite list in the Client Hello message with the following:

TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

Would result in TLS_RSA_WITH_AES_128_CBC_SHA being the agreed upon cipher by the Server.  The reason behind this is that the TLS spec does not say that it has to use the highest available encryption algorithm or that the server must honor the client's preference if it does have that cipher suite available.

When a Windows server receives the Hello message it goes down the Cipher Suite list that Schannel supports on the system and picks the first one on the server that matches up to one that is available in the Client Hello message.  When looking at http://msdn.microsoft.com/en-us/library/aa374757(VS.85).aspx the first match on the cipher suite list order for 2008 is TLS_RSA_WITH_AES_128_CBC_SHA so when it compares this entry to the Client Hello cipher suite list it will find a match and present this to the client as the agreed upon cipher suite to proceed with.

This presents a quandary to a system that examines the session afterwards and requires a certain level or type of suite to be agreed on for the exchange.  Cipher list suites could be changed on the server to change the higher level suites to be higher on the list however from a performance perspective you typically want the more commonly used suites to be closer to the top of the order.

So in order to remedy and indeed "force" a specific level or specific cipher suite then the sending server must dictate which cipher suites are acceptable to it as the server side must be able to accept many different cipher suite levels in order to accommodate all the various different SMTP servers that send to it.

Limiting Ciphersuites used by Sendmail

Limiting Ciphersuites used by Postfix

Limiting Ciphersuites used for Schannel (i.e. Windows SMTP service, Exchange)