Prereq: "2.7.8" diff -cr --new-file /var/tmp/postfix-2.7.8/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.7.8/src/global/mail_version.h Sat Feb 4 20:35:33 2012 --- ./src/global/mail_version.h Tue Apr 24 13:48:17 2012 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20120204" ! #define MAIL_VERSION_NUMBER "2.7.8" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20120424" ! #define MAIL_VERSION_NUMBER "2.7.9" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.7.8/HISTORY ./HISTORY *** /var/tmp/postfix-2.7.8/HISTORY Sat Feb 4 16:58:11 2012 --- ./HISTORY Tue Apr 24 13:56:45 2012 *************** *** 16020,16022 **** --- 16020,16043 ---- could match a shorter one, because a length check was done on the wrong string. Reported by Vladimir Vassiliev. File: cleanup/cleanup_milter.c. + + 20120214 + + Bugfix (introduced: Postfix 2.4): extraneous null assignment + caused core dump when postlog emitted the "usage" message. + Reported by Kant (fnord.hammer). File: postlog/postlog.c. + + 20120401 + + Bitrot: shut up useless warnings about Cyrus SASL call-back + function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h, + xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c. + + 20120422 + + Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the + known TLS protocol list so that protocols can be turned off + selectively to work around implementation bugs. Based on + a patch by Victor Duchovni. Files: proto/TLS_README.html, + proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c, + tls/tls_server.c. diff -cr --new-file /var/tmp/postfix-2.7.8/README_FILES/TLS_README ./README_FILES/TLS_README *** /var/tmp/postfix-2.7.8/README_FILES/TLS_README Thu Jan 28 19:50:29 2010 --- ./README_FILES/TLS_README Tue Apr 24 15:20:38 2012 *************** *** 537,547 **** control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export". ! With mandatory TLS encryption, the Postfix SMTP server will by default only use ! SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The ! mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols ! configuration parameter. The corresponding smtpd_tls_protocols parameter ! (Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS. For a server that is not a public Internet MX host, Postfix (>= 2.3) supports configurations with no server certificates that use oonnllyy the anonymous ciphers. --- 537,553 ---- control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export". ! With mandatory TLS encryption, the Postfix SMTP server will by default disable ! SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS ! protocol list is specified via the smtpd_tls_mandatory_protocols configuration ! parameter. The corresponding smtpd_tls_protocols parameter (Postfix >= 2.6) ! controls the SSL/TLS protocols used with opportunistic TLS. ! ! Note that the OpenSSL library only supports protocol exclusion (not inclusion). ! For this reason, Postfix can exclude only protocols that are known at the time ! the Postfix software is written. If new protocols are added to the OpenSSL ! library, they cannot be excluded without corresponding changes to the Postfix ! source code. For a server that is not a public Internet MX host, Postfix (>= 2.3) supports configurations with no server certificates that use oonnllyy the anonymous ciphers. *************** *** 556,564 **** smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! smtpd_tls_mandatory_protocols = TLSv1 ! # Also available with Postfix >= 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH) key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead --- 562,571 ---- smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! # Preferred form with Postfix >= 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtpd_tls_mandatory_protocols = TLSv1 If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH) key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead *************** *** 1009,1017 **** Examples: In the example below, traffic to example.com and its sub-domains via the ! corresponding MX hosts always uses TLS. The protocol version will be "SSLv3" or ! "TLSv1" (the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). ! Only high or medium strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions. /etc/postfix/main.cf: --- 1016,1024 ---- Examples: In the example below, traffic to example.com and its sub-domains via the ! corresponding MX hosts always uses TLS. The SSLv2 protocol will be disabled ! (the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). Only ! high- or medium-strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions. /etc/postfix/main.cf: *************** *** 1675,1685 **** control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export". ! With mandatory TLS encryption, the Postfix SMTP client will by default only use ! SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The ! mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols ! configuration parameter. The corresponding smtp_tls_protocols parameter ! (Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS. Example: --- 1682,1692 ---- control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export". ! With mandatory TLS encryption, the Postfix SMTP client will by default disable ! SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS ! protocol list is specified via the smtp_tls_mandatory_protocols configuration ! parameter. The corresponding smtp_tls_protocols parameter (Postfix >= 2.6) ! controls the SSL/TLS protocols used with opportunistic TLS. Example: *************** *** 1687,1695 **** smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! smtp_tls_mandatory_protocols = SSLv3, TLSv1 ! # Also available with Postfix >= 2.5: smtp_tls_mandatory_protocols = !SSLv2 # Also available with Postfix >= 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 --- 1694,1703 ---- smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! # Preferred form with Postfix >= 2.5: smtp_tls_mandatory_protocols = !SSLv2 + # Alternative form. + smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Also available with Postfix >= 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 diff -cr --new-file /var/tmp/postfix-2.7.8/RELEASE_NOTES ./RELEASE_NOTES *** /var/tmp/postfix-2.7.8/RELEASE_NOTES Tue Nov 23 13:53:31 2010 --- ./RELEASE_NOTES Tue Apr 24 15:58:33 2012 *************** *** 14,19 **** --- 14,56 ---- If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6 before proceeding. + Major changes with Postfix 2.7.9 + -------------------------------- + + This release adds support to turn off the TLSv1.1 and TLSv1.2 + protocols. Introduced with OpenSSL version 1.0.1, these are known + to cause inter-operability problems with for example hotmail. + + The radical workaround is to temporarily turn off problematic + protocols globally: + + /etc/postfix/main.cf: + smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + + smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + + However, it may be better to temporarily turn off problematic + protocols for broken sites only: + + /etc/postfix/main.cf: + smtp_tls_policy_maps = hash:/etc/postfix/tls_policy + + /etc/postfix/tls_policy: + example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2 + + Important: + + - Note the use of ":" instead of comma or space. Also, note that + there is NO space around the "=" in "protocols=". + + - The smtp_tls_policy_maps lookup key must match the "next-hop" + destination that is given to the Postfix SMTP client. If you + override the next-hop destination with transport_maps, relayhost, + sender_dependent_relayhost_maps, or otherwise, you need to specify + the same destination for the smtp_tls_policy_maps lookup key. + Incompatibility with Postfix 2.7.2 ---------------------------------- diff -cr --new-file /var/tmp/postfix-2.7.8/html/TLS_README.html ./html/TLS_README.html *** /var/tmp/postfix-2.7.8/html/TLS_README.html Thu Jan 28 19:50:27 2010 --- ./html/TLS_README.html Tue Apr 24 15:20:36 2012 *************** *** 785,796 **** "export".

With mandatory TLS encryption, the Postfix SMTP server will by ! default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS protocols used with opportunistic TLS.

For a server that is not a public Internet MX host, Postfix (≥ 2.3) supports configurations with no server certificates that use only the anonymous ciphers. This is --- 785,802 ---- "export".

With mandatory TLS encryption, the Postfix SMTP server will by ! default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS protocols used with opportunistic TLS.

+

Note that the OpenSSL library only supports protocol exclusion + (not inclusion). For this reason, Postfix can exclude only protocols + that are known at the time the Postfix software is written. If new + protocols are added to the OpenSSL library, they cannot be excluded + without corresponding changes to the Postfix source code.

+

For a server that is not a public Internet MX host, Postfix (≥ 2.3) supports configurations with no server certificates that use only the anonymous ciphers. This is *************** *** 808,816 **** smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! smtpd_tls_mandatory_protocols = TLSv1 ! # Also available with Postfix ≥ 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 --- 814,823 ---- smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! # Preferred form with Postfix ≥ 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtpd_tls_mandatory_protocols = TLSv1 *************** *** 1407,1415 ****

Examples:

In the example below, traffic to example.com and its sub-domains ! via the corresponding MX hosts always uses TLS. The protocol version will be ! "SSLv3" or "TLSv1" (the default setting of smtp_tls_mandatory_protocols ! excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.

--- 1414,1422 ----

Examples:

In the example below, traffic to example.com and its sub-domains ! via the corresponding MX hosts always uses TLS. The SSLv2 protocol ! will be disabled (the default setting of smtp_tls_mandatory_protocols ! excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.

*************** *** 2258,2264 **** "export".

With mandatory TLS encryption, the Postfix SMTP client will by ! default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls --- 2265,2271 ---- "export".

With mandatory TLS encryption, the Postfix SMTP client will by ! default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls *************** *** 2272,2280 **** smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! smtp_tls_mandatory_protocols = SSLv3, TLSv1 ! # Also available with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 --- 2279,2288 ---- smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! # Preferred form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 + # Alternative form. + smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 diff -cr --new-file /var/tmp/postfix-2.7.8/html/lmtp.8.html ./html/lmtp.8.html *** /var/tmp/postfix-2.7.8/html/lmtp.8.html Sun Nov 15 09:24:51 2009 --- ./html/lmtp.8.html Tue Apr 24 15:29:58 2012 *************** *** 450,456 **** non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. ! smtp_tls_mandatory_protocols (SSLv3, TLSv1) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. --- 450,456 ---- non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. ! smtp_tls_mandatory_protocols (!SSLv2) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. diff -cr --new-file /var/tmp/postfix-2.7.8/html/postconf.5.html ./html/postconf.5.html *** /var/tmp/postfix-2.7.8/html/postconf.5.html Tue Jun 15 18:19:06 2010 --- ./html/postconf.5.html Tue Apr 24 15:20:37 2012 *************** *** 4534,4540 ****

lmtp_tls_mandatory_protocols ! (default: SSLv3, TLSv1)

The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.

--- 4534,4540 ----
lmtp_tls_mandatory_protocols ! (default: !SSLv2)

The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.

*************** *** 9698,9704 ****
smtp_tls_mandatory_protocols ! (default: SSLv3, TLSv1)

List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by --- 9698,9704 ----

smtp_tls_mandatory_protocols ! (default: !SSLv2)

List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by *************** *** 9707,9718 **** empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported; use the form you find more intuitive.

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by --- 9707,9725 ---- empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

+

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.

+

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. !

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by *************** *** 9725,9733 ****

Example: 

! smtp_tls_mandatory_protocols = TLSv1
! # Alternative form with Postfix ≥ 2.5:
  smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

This feature is available in Postfix 2.3 and later.

--- 9732,9741 ----

Example: 

! # Preferred form with Postfix ≥ 2.5:
  smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+ # Alternative form.
+ smtp_tls_mandatory_protocols = TLSv1

This feature is available in Postfix 2.3 and later.

*************** *** 9983,9996 **** protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax.

Example: 

--- 9991,10008 ----
  protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3"
  and "TLSv1". 

  
+ 
 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+ and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+ 1.0.1 or later, these, or any other new protocol versions, are
+ unconditionally enabled. 

+ 
  
 To include a protocol list its name, to exclude it, prefix the name
  with a "!" character. To exclude SSLv2 even for opportunistic TLS set
  "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
  "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
! include, rather than protocols to exclude, is supported, but not
! recommended.  The exclusion form more closely matches the behaviour
! when the OpenSSL library is newer than Postfix.  

  
  
 Example: 

  
***************
*** 13244,13250 ****
smtpd_tls_mandatory_protocols ! (default: SSLv3, TLSv1)

The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all --- 13256,13262 ----

smtpd_tls_mandatory_protocols ! (default: !SSLv2)

The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all *************** *** 13253,13264 **** names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported, use the form you find more intuitive.

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that --- 13265,13283 ---- names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

+

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.

+

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. !

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that *************** *** 13292,13305 **** "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute values are separated by a colon.

To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax.

Example: 

--- 13311,13328 ----
  "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
  values are separated by a colon. 

  
+ 
 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+ and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+ 1.0.1 or later, these, or any other new protocol versions, are
+ unconditionally enabled. 

+ 
  
 To include a protocol list its name, to exclude it, prefix the name
  with a "!" character. To exclude SSLv2 even for opportunistic TLS set
  "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
  "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
! include, rather than protocols to exclude, is supported, but not
! recommended.  The exclusion form more closely matches the behaviour
! when the OpenSSL library is newer than Postfix.  

  
  
 Example: 

  
diff -cr --new-file /var/tmp/postfix-2.7.8/html/smtp.8.html ./html/smtp.8.html
*** /var/tmp/postfix-2.7.8/html/smtp.8.html	Sun Nov 15 09:24:51 2009
--- ./html/smtp.8.html	Tue Apr 24 15:29:58 2012
***************
*** 450,456 ****
                non-empty value is specified,  this  overrides  the
                obsolete smtp_tls_per_site parameter.
  
!        smtp_tls_mandatory_protocols (SSLv3, TLSv1)
                List  of  SSL/TLS  protocols  that the Postfix SMTP
                client will use with mandatory TLS encryption.
  
--- 450,456 ----
                non-empty value is specified,  this  overrides  the
                obsolete smtp_tls_per_site parameter.
  
!        smtp_tls_mandatory_protocols (!SSLv2)
                List  of  SSL/TLS  protocols  that the Postfix SMTP
                client will use with mandatory TLS encryption.
  
diff -cr --new-file /var/tmp/postfix-2.7.8/html/smtpd.8.html ./html/smtpd.8.html
*** /var/tmp/postfix-2.7.8/html/smtpd.8.html	Wed Jun 15 16:47:56 2011
--- ./html/smtpd.8.html	Tue Apr 24 15:20:38 2012
***************
*** 462,468 ****
                exclude from the SMTP server cipher list at  manda-
                tory TLS security levels.
  
!        smtpd_tls_mandatory_protocols (SSLv3, TLSv1)
                The  SSL/TLS protocols accepted by the Postfix SMTP
                server with mandatory TLS encryption.
  
--- 462,468 ----
                exclude from the SMTP server cipher list at  manda-
                tory TLS security levels.
  
!        smtpd_tls_mandatory_protocols (!SSLv2)
                The  SSL/TLS protocols accepted by the Postfix SMTP
                server with mandatory TLS encryption.
  
diff -cr --new-file /var/tmp/postfix-2.7.8/man/man5/postconf.5 ./man/man5/postconf.5
*** /var/tmp/postfix-2.7.8/man/man5/postconf.5	Tue Jun 15 18:19:06 2010
--- ./man/man5/postconf.5	Tue Apr 24 15:20:38 2012
***************
*** 2461,2467 ****
  configuration parameter.  See there for details.
  .PP
  This feature is available in Postfix 2.3 and later.
! .SH lmtp_tls_mandatory_protocols (default: SSLv3, TLSv1)
  The LMTP-specific version of the smtp_tls_mandatory_protocols
  configuration parameter. See there for details.
  .PP
--- 2461,2467 ----
  configuration parameter.  See there for details.
  .PP
  This feature is available in Postfix 2.3 and later.
! .SH lmtp_tls_mandatory_protocols (default: !SSLv2)
  The LMTP-specific version of the smtp_tls_mandatory_protocols
  configuration parameter. See there for details.
  .PP
***************
*** 5718,5724 ****
  attribute. See smtp_tls_policy_maps for notes and examples.
  .PP
  This feature is available in Postfix 2.3 and later.
! .SH smtp_tls_mandatory_protocols (default: SSLv3, TLSv1)
  List of SSL/TLS protocols that the Postfix SMTP client will use with
  mandatory TLS encryption.  In main.cf the values are separated by
  whitespace, commas or colons. In the policy table "protocols" attribute
--- 5718,5724 ----
  attribute. See smtp_tls_policy_maps for notes and examples.
  .PP
  This feature is available in Postfix 2.3 and later.
! .SH smtp_tls_mandatory_protocols (default: !SSLv2)
  List of SSL/TLS protocols that the Postfix SMTP client will use with
  mandatory TLS encryption.  In main.cf the values are separated by
  whitespace, commas or colons. In the policy table "protocols" attribute
***************
*** 5726,5737 ****
  empty value means allow all protocols. The valid protocol names, (see
  \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1".
  .PP
  With Postfix >= 2.5 the parameter syntax is expanded to support
  protocol exclusions. One can now explicitly exclude SSLv2 by setting
  "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
  SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
! the protocols to include, rather than protocols to exclude, is still
! supported; use the form you find more intuitive.
  .PP
  Since SSL version 2 has known protocol weaknesses and is now
  deprecated, the default setting excludes "SSLv2".  This means that by
--- 5726,5743 ----
  empty value means allow all protocols. The valid protocol names, (see
  \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1".
  .PP
+ Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+ and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+ 1.0.1 or later, these, or any other new protocol versions, are
+ unconditionally enabled.
+ .PP
  With Postfix >= 2.5 the parameter syntax is expanded to support
  protocol exclusions. One can now explicitly exclude SSLv2 by setting
  "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
  SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
! the protocols to include, rather than protocols to exclude, is
! supported, but not recommended. The exclusion form more closely
! matches the behaviour when the OpenSSL library is newer than Postfix.
  .PP
  Since SSL version 2 has known protocol weaknesses and is now
  deprecated, the default setting excludes "SSLv2".  This means that by
***************
*** 5746,5754 ****
  .nf
  .na
  .ft C
! smtp_tls_mandatory_protocols = TLSv1
! # Alternative form with Postfix >= 2.5:
  smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
  .fi
  .ad
  .ft R
--- 5752,5761 ----
  .nf
  .na
  .ft C
! # Preferred form with Postfix >= 2.5:
  smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+ # Alternative form.
+ smtp_tls_mandatory_protocols = TLSv1
  .fi
  .ad
  .ft R
***************
*** 5981,5994 ****
  protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3"
  and "TLSv1".
  .PP
  To include a protocol list its name, to exclude it, prefix the name
  with a "!" character. To exclude SSLv2 even for opportunistic TLS set
  "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
  "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
! include, is supported, but not recommended. OpenSSL provides no mechanisms
! for excluding protocols not known at compile-time. If Postfix is linked
! against an OpenSSL library that supports additional protocol versions,
! they cannot be excluded using either syntax.
  .PP
  Example:
  .nf
--- 5988,6005 ----
  protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3"
  and "TLSv1".
  .PP
+ Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+ and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+ 1.0.1 or later, these, or any other new protocol versions, are
+ unconditionally enabled.
+ .PP
  To include a protocol list its name, to exclude it, prefix the name
  with a "!" character. To exclude SSLv2 even for opportunistic TLS set
  "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
  "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
! include, rather than protocols to exclude, is supported, but not
! recommended.  The exclusion form more closely matches the behaviour
! when the OpenSSL library is newer than Postfix.
  .PP
  Example:
  .nf
***************
*** 8386,8392 ****
  (see there for syntax details).
  .PP
  This feature is available in Postfix 2.3 and later.
! .SH smtpd_tls_mandatory_protocols (default: SSLv3, TLSv1)
  The SSL/TLS protocols accepted by the Postfix SMTP server with
  mandatory TLS encryption. If the list is empty, the server supports all
  available SSL/TLS protocol versions.  A non-empty value is a list
--- 8397,8403 ----
  (see there for syntax details).
  .PP
  This feature is available in Postfix 2.3 and later.
! .SH smtpd_tls_mandatory_protocols (default: !SSLv2)
  The SSL/TLS protocols accepted by the Postfix SMTP server with
  mandatory TLS encryption. If the list is empty, the server supports all
  available SSL/TLS protocol versions.  A non-empty value is a list
***************
*** 8394,8405 ****
  names separated by whitespace, commas or colons. The supported protocol
  names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
  .PP
  With Postfix >= 2.5 the parameter syntax is expanded to support
  protocol exclusions. One can now explicitly exclude SSLv2 by setting
  "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
  SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
! the protocols to include, rather than protocols to exclude, is still
! supported, use the form you find more intuitive.
  .PP
  Since SSL version 2 has known protocol weaknesses and is now
  deprecated, the default setting excludes "SSLv2".  This means that
--- 8405,8422 ----
  names separated by whitespace, commas or colons. The supported protocol
  names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
  .PP
+ Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+ and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+ 1.0.1 or later, these, or any other new protocol versions, are
+ unconditionally enabled.
+ .PP
  With Postfix >= 2.5 the parameter syntax is expanded to support
  protocol exclusions. One can now explicitly exclude SSLv2 by setting
  "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
  SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
! the protocols to include, rather than protocols to exclude, is
! supported, but not recommended. The exclusion form more closely
! matches the behaviour when the OpenSSL library is newer than Postfix.
  .PP
  Since SSL version 2 has known protocol weaknesses and is now
  deprecated, the default setting excludes "SSLv2".  This means that
***************
*** 8431,8444 ****
  "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
  values are separated by a colon.
  .PP
  To include a protocol list its name, to exclude it, prefix the name
  with a "!" character. To exclude SSLv2 even for opportunistic TLS set
  "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
  "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
! include, is supported, but not recommended. OpenSSL provides no mechanisms
! for excluding protocols not known at compile-time. If Postfix is linked
! against an OpenSSL library that supports additional protocol versions,
! they cannot be excluded using either syntax.
  .PP
  Example:
  .nf
--- 8448,8465 ----
  "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
  values are separated by a colon.
  .PP
+ Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+ and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+ 1.0.1 or later, these, or any other new protocol versions, are
+ unconditionally enabled.
+ .PP
  To include a protocol list its name, to exclude it, prefix the name
  with a "!" character. To exclude SSLv2 even for opportunistic TLS set
  "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
  "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
! include, rather than protocols to exclude, is supported, but not
! recommended.  The exclusion form more closely matches the behaviour
! when the OpenSSL library is newer than Postfix.
  .PP
  Example:
  .nf
diff -cr --new-file /var/tmp/postfix-2.7.8/man/man8/smtp.8 ./man/man8/smtp.8
*** /var/tmp/postfix-2.7.8/man/man8/smtp.8	Sun Nov 15 09:24:50 2009
--- ./man/man8/smtp.8	Tue Apr 24 15:29:58 2012
***************
*** 374,380 ****
  Optional lookup tables with the Postfix SMTP client TLS security
  policy by next-hop destination; when a non-empty value is specified,
  this overrides the obsolete smtp_tls_per_site parameter.
! .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
  List of SSL/TLS protocols that the Postfix SMTP client will use with
  mandatory TLS encryption.
  .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
--- 374,380 ----
  Optional lookup tables with the Postfix SMTP client TLS security
  policy by next-hop destination; when a non-empty value is specified,
  this overrides the obsolete smtp_tls_per_site parameter.
! .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR"
  List of SSL/TLS protocols that the Postfix SMTP client will use with
  mandatory TLS encryption.
  .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
diff -cr --new-file /var/tmp/postfix-2.7.8/man/man8/smtpd.8 ./man/man8/smtpd.8
*** /var/tmp/postfix-2.7.8/man/man8/smtpd.8	Wed Jun 15 16:47:55 2011
--- ./man/man8/smtpd.8	Tue Apr 24 15:20:38 2012
***************
*** 389,395 ****
  .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
  Additional list of ciphers or cipher types to exclude from the
  SMTP server cipher list at mandatory TLS security levels.
! .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
  The SSL/TLS protocols accepted by the Postfix SMTP server with
  mandatory TLS encryption.
  .IP "\fBsmtpd_tls_received_header (no)\fR"
--- 389,395 ----
  .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
  Additional list of ciphers or cipher types to exclude from the
  SMTP server cipher list at mandatory TLS security levels.
! .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
  The SSL/TLS protocols accepted by the Postfix SMTP server with
  mandatory TLS encryption.
  .IP "\fBsmtpd_tls_received_header (no)\fR"
diff -cr --new-file /var/tmp/postfix-2.7.8/proto/TLS_README.html ./proto/TLS_README.html
*** /var/tmp/postfix-2.7.8/proto/TLS_README.html	Thu Jan 28 19:47:25 2010
--- ./proto/TLS_README.html	Tue Apr 24 13:47:25 2012
***************
*** 785,796 ****
  "export". 

  
  
 With mandatory TLS encryption, the Postfix SMTP server will by
! default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
  is optional. The mandatory TLS protocol list is specified via the
  smtpd_tls_mandatory_protocols configuration parameter.  The
  corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6)
  controls the SSL/TLS protocols used with opportunistic TLS. 

  
  
 For a server that is not a public Internet MX host, Postfix (≥ 2.3)
  supports configurations with no server
  certificates that use only the anonymous ciphers. This is
--- 785,802 ----
  "export". 

  
  
 With mandatory TLS encryption, the Postfix SMTP server will by
! default disable SSLv2. SSLv2 is used only when TLS encryption
  is optional. The mandatory TLS protocol list is specified via the
  smtpd_tls_mandatory_protocols configuration parameter.  The
  corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6)
  controls the SSL/TLS protocols used with opportunistic TLS. 

  
+ 
 Note that the OpenSSL library only supports protocol exclusion
+ (not inclusion). For this reason, Postfix can exclude only protocols
+ that are known at the time the Postfix software is written. If new
+ protocols are added to the OpenSSL library, they cannot be excluded
+ without corresponding changes to the Postfix source code. 

+ 
  
 For a server that is not a public Internet MX host, Postfix (≥ 2.3)
  supports configurations with no server
  certificates that use only the anonymous ciphers. This is
***************
*** 808,816 ****
      smtpd_tls_mandatory_ciphers = high
      smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
      smtpd_tls_security_level = encrypt
!     smtpd_tls_mandatory_protocols = TLSv1
!     # Also available with Postfix ≥ 2.5:
      smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
  

  
  
--- 814,823 ----
      smtpd_tls_mandatory_ciphers = high
      smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
      smtpd_tls_security_level = encrypt
!     # Preferred form with Postfix ≥ 2.5:
      smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+     # Alternative form.
+     smtpd_tls_mandatory_protocols = TLSv1
*************** *** 1407,1415 ****

Examples:

In the example below, traffic to example.com and its sub-domains ! via the corresponding MX hosts always uses TLS. The protocol version will be ! "SSLv3" or "TLSv1" (the default setting of smtp_tls_mandatory_protocols ! excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.

--- 1414,1422 ----

Examples:

In the example below, traffic to example.com and its sub-domains ! via the corresponding MX hosts always uses TLS. The SSLv2 protocol ! will be disabled (the default setting of smtp_tls_mandatory_protocols ! excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.

*************** *** 2258,2264 **** "export".

With mandatory TLS encryption, the Postfix SMTP client will by ! default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls --- 2265,2271 ---- "export".

With mandatory TLS encryption, the Postfix SMTP client will by ! default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls *************** *** 2272,2280 **** smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! smtp_tls_mandatory_protocols = SSLv3, TLSv1 ! # Also available with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 --- 2279,2288 ---- smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! # Preferred form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 + # Alternative form. + smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 diff -cr --new-file /var/tmp/postfix-2.7.8/proto/postconf.proto ./proto/postconf.proto *** /var/tmp/postfix-2.7.8/proto/postconf.proto Tue Jun 15 18:18:48 2010 --- ./proto/postconf.proto Tue Apr 24 13:47:25 2012 *************** *** 10267,10273 ****

This feature is available in Postfix 2.3 and later.

! %PARAM smtp_tls_mandatory_protocols SSLv3, TLSv1

List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by --- 10267,10273 ----

This feature is available in Postfix 2.3 and later.

! %PARAM smtp_tls_mandatory_protocols !SSLv2

List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by *************** *** 10276,10287 **** empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported; use the form you find more intuitive.

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by --- 10276,10294 ---- empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

+

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.

+

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. !

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by *************** *** 10294,10302 ****

Example: 

! smtp_tls_mandatory_protocols = TLSv1
! # Alternative form with Postfix ≥ 2.5:
  smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

This feature is available in Postfix 2.3 and later.

--- 10301,10310 ----

Example: 

! # Preferred form with Postfix ≥ 2.5:
  smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+ # Alternative form.
+ smtp_tls_mandatory_protocols = TLSv1

This feature is available in Postfix 2.3 and later.

*************** *** 10424,10430 ****

This feature is available in Postfix 2.3 and later.

! %PARAM lmtp_tls_mandatory_protocols SSLv3, TLSv1

The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.

--- 10432,10438 ----

This feature is available in Postfix 2.3 and later.

! %PARAM lmtp_tls_mandatory_protocols !SSLv2

The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.

*************** *** 10445,10451 ****

This feature is available in Postfix 2.3 and later.

! %PARAM smtpd_tls_mandatory_protocols SSLv3, TLSv1

The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all --- 10453,10459 ----

This feature is available in Postfix 2.3 and later.

! %PARAM smtpd_tls_mandatory_protocols !SSLv2

The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all *************** *** 10454,10465 **** names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported, use the form you find more intuitive.

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that --- 10462,10480 ---- names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

+

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.

+

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. !

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that *************** *** 11468,11481 **** protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax.

Example: 

--- 11483,11500 ----
  protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3"
  and "TLSv1". 

  
+ 
 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+ and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+ 1.0.1 or later, these, or any other new protocol versions, are
+ unconditionally enabled. 

+ 
  
 To include a protocol list its name, to exclude it, prefix the name
  with a "!" character. To exclude SSLv2 even for opportunistic TLS set
  "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
  "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
! include, rather than protocols to exclude, is supported, but not
! recommended.  The exclusion form more closely matches the behaviour
! when the OpenSSL library is newer than Postfix.  

  
  
 Example: 

  
***************
*** 11498,11511 ****
  "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
  values are separated by a colon. 

  
  
 To include a protocol list its name, to exclude it, prefix the name
  with a "!" character. To exclude SSLv2 even for opportunistic TLS set
  "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
  "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
! include, is supported, but not recommended. OpenSSL provides no mechanisms
! for excluding protocols not known at compile-time. If Postfix is linked
! against an OpenSSL library that supports additional protocol versions,
! they cannot be excluded using either syntax. 

  
  
 Example: 

  
--- 11517,11534 ----
  "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
  values are separated by a colon. 

  
+ 
 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+ and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+ 1.0.1 or later, these, or any other new protocol versions, are
+ unconditionally enabled. 

+ 
  
 To include a protocol list its name, to exclude it, prefix the name
  with a "!" character. To exclude SSLv2 even for opportunistic TLS set
  "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
  "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
! include, rather than protocols to exclude, is supported, but not
! recommended.  The exclusion form more closely matches the behaviour
! when the OpenSSL library is newer than Postfix.  

  
  
 Example: 

  
diff -cr --new-file /var/tmp/postfix-2.7.8/src/global/mail_params.h ./src/global/mail_params.h
*** /var/tmp/postfix-2.7.8/src/global/mail_params.h	Sun Jun 13 15:20:42 2010
--- ./src/global/mail_params.h	Tue Apr 24 13:47:25 2012
***************
*** 1239,1245 ****
  extern char *var_smtpd_tls_proto;
  
  #define VAR_SMTPD_TLS_MAND_PROTO	"smtpd_tls_mandatory_protocols"
! #define DEF_SMTPD_TLS_MAND_PROTO	"SSLv3, TLSv1"
  extern char *var_smtpd_tls_mand_proto;
  
  #define VAR_SMTPD_TLS_CIPH	"smtpd_tls_ciphers"
--- 1239,1245 ----
  extern char *var_smtpd_tls_proto;
  
  #define VAR_SMTPD_TLS_MAND_PROTO	"smtpd_tls_mandatory_protocols"
! #define DEF_SMTPD_TLS_MAND_PROTO	"!SSLv2"
  extern char *var_smtpd_tls_mand_proto;
  
  #define VAR_SMTPD_TLS_CIPH	"smtpd_tls_ciphers"
***************
*** 1456,1464 ****
  extern char *var_smtp_tls_proto;
  
  #define VAR_SMTP_TLS_MAND_PROTO	"smtp_tls_mandatory_protocols"
! #define DEF_SMTP_TLS_MAND_PROTO	"SSLv3, TLSv1"
  #define VAR_LMTP_TLS_MAND_PROTO	"lmtp_tls_mandatory_protocols"
! #define DEF_LMTP_TLS_MAND_PROTO	"SSLv3, TLSv1"
  extern char *var_smtp_tls_mand_proto;
  
  #define VAR_SMTP_TLS_VFY_CMATCH	"smtp_tls_verify_cert_match"
--- 1456,1464 ----
  extern char *var_smtp_tls_proto;
  
  #define VAR_SMTP_TLS_MAND_PROTO	"smtp_tls_mandatory_protocols"
! #define DEF_SMTP_TLS_MAND_PROTO	"!SSLv2"
  #define VAR_LMTP_TLS_MAND_PROTO	"lmtp_tls_mandatory_protocols"
! #define DEF_LMTP_TLS_MAND_PROTO	"!SSLv2"
  extern char *var_smtp_tls_mand_proto;
  
  #define VAR_SMTP_TLS_VFY_CMATCH	"smtp_tls_verify_cert_match"
diff -cr --new-file /var/tmp/postfix-2.7.8/src/postlog/postlog.c ./src/postlog/postlog.c
*** /var/tmp/postfix-2.7.8/src/postlog/postlog.c	Fri Apr 17 16:04:00 2009
--- ./src/postlog/postlog.c	Tue Feb 14 09:15:07 2012
***************
*** 206,212 ****
      if (isatty(STDERR_FILENO))
  	msg_vstream_init(tag, VSTREAM_ERR);
      msg_syslog_init(tag, LOG_PID, LOG_FACILITY);
-     tag = 0;
  
      /*
       * Parse switches.
--- 206,211 ----
diff -cr --new-file /var/tmp/postfix-2.7.8/src/smtp/smtp.c ./src/smtp/smtp.c
*** /var/tmp/postfix-2.7.8/src/smtp/smtp.c	Sun Nov 15 09:24:50 2009
--- ./src/smtp/smtp.c	Tue Apr 24 15:29:58 2012
***************
*** 344,350 ****
  /*	Optional lookup tables with the Postfix SMTP client TLS security
  /*	policy by next-hop destination; when a non-empty value is specified,
  /*	this overrides the obsolete smtp_tls_per_site parameter.
! /* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
  /*	List of SSL/TLS protocols that the Postfix SMTP client will use with
  /*	mandatory TLS encryption.
  /* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
--- 344,350 ----
  /*	Optional lookup tables with the Postfix SMTP client TLS security
  /*	policy by next-hop destination; when a non-empty value is specified,
  /*	this overrides the obsolete smtp_tls_per_site parameter.
! /* .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR"
  /*	List of SSL/TLS protocols that the Postfix SMTP client will use with
  /*	mandatory TLS encryption.
  /* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
diff -cr --new-file /var/tmp/postfix-2.7.8/src/smtpd/smtpd.c ./src/smtpd/smtpd.c
*** /var/tmp/postfix-2.7.8/src/smtpd/smtpd.c	Thu Oct 20 17:33:53 2011
--- ./src/smtpd/smtpd.c	Tue Apr 24 15:20:38 2012
***************
*** 357,363 ****
  /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
  /*	Additional list of ciphers or cipher types to exclude from the
  /*	SMTP server cipher list at mandatory TLS security levels.
! /* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
  /*	The SSL/TLS protocols accepted by the Postfix SMTP server with
  /*	mandatory TLS encryption.
  /* .IP "\fBsmtpd_tls_received_header (no)\fR"
--- 357,363 ----
  /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
  /*	Additional list of ciphers or cipher types to exclude from the
  /*	SMTP server cipher list at mandatory TLS security levels.
! /* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
  /*	The SSL/TLS protocols accepted by the Postfix SMTP server with
  /*	mandatory TLS encryption.
  /* .IP "\fBsmtpd_tls_received_header (no)\fR"
diff -cr --new-file /var/tmp/postfix-2.7.8/src/tls/tls.h ./src/tls/tls.h
*** /var/tmp/postfix-2.7.8/src/tls/tls.h	Sat Nov  8 18:35:28 2008
--- ./src/tls/tls.h	Tue Apr 24 13:47:25 2012
***************
*** 154,161 ****
  #define TLS_PROTOCOL_SSLv2	(1<<0)	/* SSLv2 */
  #define TLS_PROTOCOL_SSLv3	(1<<1)	/* SSLv3 */
  #define TLS_PROTOCOL_TLSv1	(1<<2)	/* TLSv1 */
  #define TLS_KNOWN_PROTOCOLS	\
! 	( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 )
  
  extern int tls_protocol_mask(const char *);
  
--- 154,172 ----
  #define TLS_PROTOCOL_SSLv2	(1<<0)	/* SSLv2 */
  #define TLS_PROTOCOL_SSLv3	(1<<1)	/* SSLv3 */
  #define TLS_PROTOCOL_TLSv1	(1<<2)	/* TLSv1 */
+ #ifdef SSL_TXT_TLSV1_1
+ #define TLS_PROTOCOL_TLSv1_1	(1<<3)	/* TLSv1_1 */
+ #else
+ #define TLS_PROTOCOL_TLSv1_1	0	/* Unknown */
+ #endif
+ #ifdef SSL_TXT_TLSV1_2
+ #define TLS_PROTOCOL_TLSv1_2	(1<<4)	/* TLSv1_2 */
+ #else
+ #define TLS_PROTOCOL_TLSv1_2	0	/* Unknown */
+ #endif
  #define TLS_KNOWN_PROTOCOLS	\
! 	( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
! 	   | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
  
  extern int tls_protocol_mask(const char *);
  
diff -cr --new-file /var/tmp/postfix-2.7.8/src/tls/tls_client.c ./src/tls/tls_client.c
*** /var/tmp/postfix-2.7.8/src/tls/tls_client.c	Tue Jun  1 19:52:06 2010
--- ./src/tls/tls_client.c	Tue Apr 24 13:47:25 2012
***************
*** 814,819 ****
--- 814,825 ----
      if (protomask != 0)
  	SSL_set_options(TLScontext->con,
  		   ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
+ #ifdef SSL_OP_NO_TLSv1_1
+ 	     | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
+ #endif
+ #ifdef SSL_OP_NO_TLSv1_2
+ 	     | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
+ #endif
  		 | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
  	       | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));
  
diff -cr --new-file /var/tmp/postfix-2.7.8/src/tls/tls_misc.c ./src/tls/tls_misc.c
*** /var/tmp/postfix-2.7.8/src/tls/tls_misc.c	Wed Jul  7 07:04:43 2010
--- ./src/tls/tls_misc.c	Tue Apr 24 13:47:25 2012
***************
*** 206,211 ****
--- 206,217 ----
      SSL_TXT_SSLV2, TLS_PROTOCOL_SSLv2,
      SSL_TXT_SSLV3, TLS_PROTOCOL_SSLv3,
      SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
+ #ifdef SSL_TXT_TLSV1_1
+     SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
+ #endif
+ #ifdef SSL_TXT_TLSV1_2
+     SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
+ #endif
      0, TLS_PROTOCOL_INVALID,
  };
  
diff -cr --new-file /var/tmp/postfix-2.7.8/src/tls/tls_server.c ./src/tls/tls_server.c
*** /var/tmp/postfix-2.7.8/src/tls/tls_server.c	Tue Jun  1 19:52:06 2010
--- ./src/tls/tls_server.c	Tue Apr 24 13:47:25 2012
***************
*** 366,371 ****
--- 366,377 ----
      if (protomask != 0)
  	SSL_CTX_set_options(server_ctx,
  		   ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
+ #ifdef SSL_OP_NO_TLSv1_1
+ 	     | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
+ #endif
+ #ifdef SSL_OP_NO_TLSv1_2
+ 	     | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
+ #endif
  		 | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
  	       | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));
  
diff -cr --new-file /var/tmp/postfix-2.7.8/src/xsasl/xsasl_cyrus.h ./src/xsasl/xsasl_cyrus.h
*** /var/tmp/postfix-2.7.8/src/xsasl/xsasl_cyrus.h	Tue Dec 20 12:48:22 2005
--- ./src/xsasl/xsasl_cyrus.h	Sun Apr  1 10:29:55 2012
***************
*** 26,31 ****
--- 26,36 ----
  extern XSASL_SERVER_IMPL *xsasl_cyrus_server_init(const char *, const char *);
  extern XSASL_CLIENT_IMPL *xsasl_cyrus_client_init(const char *, const char *);
  
+  /*
+   * Internal definitions for client and server module.
+   */
+ typedef int (*XSASL_CYRUS_CB) (void);
+ 
  #endif
  
  /* LICENSE
diff -cr --new-file /var/tmp/postfix-2.7.8/src/xsasl/xsasl_cyrus_client.c ./src/xsasl/xsasl_cyrus_client.c
*** /var/tmp/postfix-2.7.8/src/xsasl/xsasl_cyrus_client.c	Sat Apr 18 19:39:30 2009
--- ./src/xsasl/xsasl_cyrus_client.c	Sun Apr  1 10:29:55 2012
***************
*** 223,229 ****
       * Global callbacks. These have no per-session context.
       */
      static sasl_callback_t callbacks[] = {
! 	{SASL_CB_LOG, &xsasl_cyrus_log, 0},
  	{SASL_CB_LIST_END, 0, 0}
      };
  
--- 223,229 ----
       * Global callbacks. These have no per-session context.
       */
      static sasl_callback_t callbacks[] = {
! 	{SASL_CB_LOG, (XSASL_CYRUS_CB) &xsasl_cyrus_log, 0},
  	{SASL_CB_LIST_END, 0, 0}
      };
  
***************
*** 302,310 ****
  {
      XSASL_CYRUS_CLIENT *client = 0;
      static sasl_callback_t callbacks[] = {
! 	{SASL_CB_USER, &xsasl_cyrus_client_get_user, 0},
! 	{SASL_CB_AUTHNAME, &xsasl_cyrus_client_get_user, 0},
! 	{SASL_CB_PASS, &xsasl_cyrus_client_get_passwd, 0},
  	{SASL_CB_LIST_END, 0, 0}
      };
      sasl_conn_t *sasl_conn = 0;
--- 302,310 ----
  {
      XSASL_CYRUS_CLIENT *client = 0;
      static sasl_callback_t callbacks[] = {
! 	{SASL_CB_USER, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_user, 0},
! 	{SASL_CB_AUTHNAME, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_user, 0},
! 	{SASL_CB_PASS, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_passwd, 0},
  	{SASL_CB_LIST_END, 0, 0}
      };
      sasl_conn_t *sasl_conn = 0;
diff -cr --new-file /var/tmp/postfix-2.7.8/src/xsasl/xsasl_cyrus_server.c ./src/xsasl/xsasl_cyrus_server.c
*** /var/tmp/postfix-2.7.8/src/xsasl/xsasl_cyrus_server.c	Sat Apr 18 18:43:58 2009
--- ./src/xsasl/xsasl_cyrus_server.c	Sun Apr  1 10:29:55 2012
***************
*** 170,176 ****
  #define NO_CALLBACK_CONTEXT	0
  
  static sasl_callback_t callbacks[] = {
!     {SASL_CB_LOG, &xsasl_cyrus_log, NO_CALLBACK_CONTEXT},
      {SASL_CB_LIST_END, 0, 0}
  };
  
--- 170,176 ----
  #define NO_CALLBACK_CONTEXT	0
  
  static sasl_callback_t callbacks[] = {
!     {SASL_CB_LOG, (XSASL_CYRUS_CB) &xsasl_cyrus_log, NO_CALLBACK_CONTEXT},
      {SASL_CB_LIST_END, 0, 0}
  };