Prereq: "2.9.1" diff -cr --new-file /var/tmp/postfix-2.9.1/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.9.1/src/global/mail_version.h Sat Feb 18 07:14:58 2012 --- ./src/global/mail_version.h Tue Apr 24 13:36:34 2012 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20120218" ! #define MAIL_VERSION_NUMBER "2.9.1" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20120424" ! #define MAIL_VERSION_NUMBER "2.9.2" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.9.1/HISTORY ./HISTORY *** /var/tmp/postfix-2.9.1/HISTORY Sat Feb 18 07:13:45 2012 --- ./HISTORY Tue Apr 24 13:34:13 2012 *************** *** 17629,17631 **** --- 17629,17646 ---- to a missing guard statement after an smtpd_check_rewrite() call was moved closer to the command processor loop. Fix by Bartek Szady. File: smtpd/smtpd.c. + + 20120401 + + Bitrot: shut up useless warnings about Cyrus SASL call-back + function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h, + xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c. + + 20120422 + + Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the + known TLS protocol list so that protocols can be turned off + selectively to work around implementation bugs. Based on + a patch by Victor Duchovni. Files: proto/TLS_README.html, + proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c, + tls/tls_server.c. diff -cr --new-file /var/tmp/postfix-2.9.1/README_FILES/TLS_README ./README_FILES/TLS_README *** /var/tmp/postfix-2.9.1/README_FILES/TLS_README Tue Dec 6 10:21:22 2011 --- ./README_FILES/TLS_README Tue Apr 24 15:20:56 2012 *************** *** 484,494 **** control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export". ! With mandatory TLS encryption, the Postfix SMTP server will by default only use ! SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The ! mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols ! configuration parameter. The corresponding smtpd_tls_protocols parameter ! (Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS. For a server that is not a public Internet MX host, Postfix supports configurations with no server certificates that use oonnllyy the anonymous ciphers. --- 484,500 ---- control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export". ! With mandatory TLS encryption, the Postfix SMTP server will by default disable ! SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS ! protocol list is specified via the smtpd_tls_mandatory_protocols configuration ! parameter. The corresponding smtpd_tls_protocols parameter (Postfix >= 2.6) ! controls the SSL/TLS protocols used with opportunistic TLS. ! ! Note that the OpenSSL library only supports protocol exclusion (not inclusion). ! For this reason, Postfix can exclude only protocols that are known at the time ! the Postfix software is written. If new protocols are added to the OpenSSL ! library, they cannot be excluded without corresponding changes to the Postfix ! source code. For a server that is not a public Internet MX host, Postfix supports configurations with no server certificates that use oonnllyy the anonymous ciphers. *************** *** 503,511 **** smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! smtpd_tls_mandatory_protocols = TLSv1 ! # Also available with Postfix >= 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH) key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead --- 509,518 ---- smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! # Preferred form with Postfix >= 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtpd_tls_mandatory_protocols = TLSv1 If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH) key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead *************** *** 536,544 **** smtpd_tls_eecdh_grade = strong Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS ! servers to preempt the TLS client's cipher preference list. This is only ! possible with SSLv3, as in SSLv2 the client chooses the cipher from a list ! supplied by the server. By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server may choose its own most --- 543,551 ---- smtpd_tls_eecdh_grade = strong Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS ! servers to preempt the TLS client's cipher preference list. This is possible ! only with SSLv3 and later, as in SSLv2 the client chooses the cipher from a ! list supplied by the server. By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server may choose its own most *************** *** 720,728 **** Examples: In the example below, traffic to example.com and its sub-domains via the ! corresponding MX hosts always uses TLS. The protocol version will be "SSLv3" or ! "TLSv1" (the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). ! Only high or medium strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions. /etc/postfix/main.cf: --- 727,735 ---- Examples: In the example below, traffic to example.com and its sub-domains via the ! corresponding MX hosts always uses TLS. The SSLv2 protocol will be disabled ! (the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). Only ! high- or medium-strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions. /etc/postfix/main.cf: *************** *** 1409,1419 **** control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export". ! With mandatory TLS encryption, the Postfix SMTP client will by default only use ! SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The ! mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols ! configuration parameter. The corresponding smtp_tls_protocols parameter ! (Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS. Example: --- 1416,1426 ---- control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export". ! With mandatory TLS encryption, the Postfix SMTP client will by default disable ! SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS ! protocol list is specified via the smtp_tls_mandatory_protocols configuration ! parameter. The corresponding smtp_tls_protocols parameter (Postfix >= 2.6) ! controls the SSL/TLS protocols used with opportunistic TLS. Example: *************** *** 1421,1429 **** smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! smtp_tls_mandatory_protocols = SSLv3, TLSv1 ! # Also available with Postfix >= 2.5: smtp_tls_mandatory_protocols = !SSLv2 # Also available with Postfix >= 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 --- 1428,1437 ---- smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! # Preferred form with Postfix >= 2.5: smtp_tls_mandatory_protocols = !SSLv2 + # Alternative form. + smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Also available with Postfix >= 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 diff -cr --new-file /var/tmp/postfix-2.9.1/RELEASE_NOTES ./RELEASE_NOTES *** /var/tmp/postfix-2.9.1/RELEASE_NOTES Fri Jan 20 17:14:56 2012 --- ./RELEASE_NOTES Tue Apr 24 15:58:33 2012 *************** *** 14,19 **** --- 14,56 ---- If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8 before proceeding. + Major changes with Postfix 2.9.2 + -------------------------------- + + This release adds support to turn off the TLSv1.1 and TLSv1.2 + protocols. Introduced with OpenSSL version 1.0.1, these are known + to cause inter-operability problems with for example hotmail. + + The radical workaround is to temporarily turn off problematic + protocols globally: + + /etc/postfix/main.cf: + smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + + smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + + However, it may be better to temporarily turn off problematic + protocols for broken sites only: + + /etc/postfix/main.cf: + smtp_tls_policy_maps = hash:/etc/postfix/tls_policy + + /etc/postfix/tls_policy: + example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2 + + Important: + + - Note the use of ":" instead of comma or space. Also, note that + there is NO space around the "=" in "protocols=". + + - The smtp_tls_policy_maps lookup key must match the "next-hop" + destination that is given to the Postfix SMTP client. If you + override the next-hop destination with transport_maps, relayhost, + sender_dependent_relayhost_maps, or otherwise, you need to specify + the same destination for the smtp_tls_policy_maps lookup key. + Major changes - critical ------------------------ diff -cr --new-file /var/tmp/postfix-2.9.1/html/TLS_README.html ./html/TLS_README.html *** /var/tmp/postfix-2.9.1/html/TLS_README.html Tue Dec 6 10:21:22 2011 --- ./html/TLS_README.html Tue Apr 24 15:20:54 2012 *************** *** 704,715 **** "export".
With mandatory TLS encryption, the Postfix SMTP server will by ! default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS protocols used with opportunistic TLS.
For a server that is not a public Internet MX host, Postfix supports configurations with no server certificates that use only the anonymous ciphers. This is --- 704,721 ---- "export".
With mandatory TLS encryption, the Postfix SMTP server will by ! default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS protocols used with opportunistic TLS.
+Note that the OpenSSL library only supports protocol exclusion + (not inclusion). For this reason, Postfix can exclude only protocols + that are known at the time the Postfix software is written. If new + protocols are added to the OpenSSL library, they cannot be excluded + without corresponding changes to the Postfix source code.
+For a server that is not a public Internet MX host, Postfix supports configurations with no server certificates that use only the anonymous ciphers. This is *************** *** 727,735 **** smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! smtpd_tls_mandatory_protocols = TLSv1 ! # Also available with Postfix ≥ 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 --- 733,742 ---- smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! # Preferred form with Postfix ≥ 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtpd_tls_mandatory_protocols = TLSv1 *************** *** 773,780 ****
Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS servers to preempt the TLS client's cipher preference list. ! This is only possible with SSLv3, as in SSLv2 the client chooses the ! cipher from a list supplied by the server.
By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server --- 780,787 ----
Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS servers to preempt the TLS client's cipher preference list. ! This is possible only with SSLv3 and later, as in SSLv2 the client ! chooses the cipher from a list supplied by the server.
By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server *************** *** 1010,1018 ****
Examples:
In the example below, traffic to example.com and its sub-domains ! via the corresponding MX hosts always uses TLS. The protocol version will be ! "SSLv3" or "TLSv1" (the default setting of smtp_tls_mandatory_protocols ! excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.
--- 1017,1025 ----Examples:
In the example below, traffic to example.com and its sub-domains ! via the corresponding MX hosts always uses TLS. The SSLv2 protocol ! will be disabled (the default setting of smtp_tls_mandatory_protocols ! excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.
*************** *** 1883,1889 **** "export".With mandatory TLS encryption, the Postfix SMTP client will by ! default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls --- 1890,1896 ---- "export".
With mandatory TLS encryption, the Postfix SMTP client will by ! default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls *************** *** 1897,1905 **** smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! smtp_tls_mandatory_protocols = SSLv3, TLSv1 ! # Also available with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 --- 1904,1913 ---- smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! # Preferred form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 + # Alternative form. + smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 diff -cr --new-file /var/tmp/postfix-2.9.1/html/lmtp.8.html ./html/lmtp.8.html *** /var/tmp/postfix-2.9.1/html/lmtp.8.html Sat Jan 14 11:20:32 2012 --- ./html/lmtp.8.html Tue Apr 24 15:30:37 2012 *************** *** 477,483 **** non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. ! smtp_tls_mandatory_protocols (SSLv3, TLSv1) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. --- 477,483 ---- non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. ! smtp_tls_mandatory_protocols (!SSLv2) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. diff -cr --new-file /var/tmp/postfix-2.9.1/html/postconf.5.html ./html/postconf.5.html *** /var/tmp/postfix-2.9.1/html/postconf.5.html Sat Jan 14 20:43:55 2012 --- ./html/postconf.5.html Tue Apr 24 15:20:56 2012 *************** *** 4775,4781 ****
The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.
--- 4775,4781 ----The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.
*************** *** 11052,11058 ****List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by --- 11052,11058 ----
List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by *************** *** 11061,11072 **** empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported; use the form you find more intuitive.
Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by --- 11061,11079 ---- empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
+Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.
+With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. !
Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by *************** *** 11079,11087 ****
Example:
! smtp_tls_mandatory_protocols = TLSv1 ! # Alternative form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
This feature is available in Postfix 2.3 and later.
--- 11086,11095 ----Example:
! # Preferred form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtp_tls_mandatory_protocols = TLSv1
This feature is available in Postfix 2.3 and later.
*************** *** 11338,11351 **** protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax.
Example:
--- 11346,11363 ---- protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". +Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.
+To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, rather than protocols to exclude, is supported, but not ! recommended. The exclusion form more closely matches the behaviour ! when the OpenSSL library is newer than Postfix.
Example:
*************** *** 14848,14854 ****
The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all --- 14860,14866 ----
The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all *************** *** 14857,14868 **** names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported, use the form you find more intuitive.
Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that --- 14869,14887 ---- names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
+Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.
+With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. !
Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that *************** *** 14896,14909 **** "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute values are separated by a colon.
To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax.
Example:
--- 14915,14932 ---- "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute values are separated by a colon. +*************** *** 773,780 ****Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.
+To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, rather than protocols to exclude, is supported, but not ! recommended. The exclusion form more closely matches the behaviour ! when the OpenSSL library is newer than Postfix.
Example:
diff -cr --new-file /var/tmp/postfix-2.9.1/html/smtp.8.html ./html/smtp.8.html *** /var/tmp/postfix-2.9.1/html/smtp.8.html Sat Jan 14 11:20:32 2012 --- ./html/smtp.8.html Tue Apr 24 15:30:37 2012 *************** *** 477,483 **** non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. ! smtp_tls_mandatory_protocols (SSLv3, TLSv1) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. --- 477,483 ---- non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. ! smtp_tls_mandatory_protocols (!SSLv2) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. diff -cr --new-file /var/tmp/postfix-2.9.1/html/smtpd.8.html ./html/smtpd.8.html *** /var/tmp/postfix-2.9.1/html/smtpd.8.html Sun Jan 15 10:35:25 2012 --- ./html/smtpd.8.html Tue Apr 24 15:30:37 2012 *************** *** 473,479 **** exclude from the Postfix SMTP server cipher list at mandatory TLS security levels. ! smtpd_tls_mandatory_protocols (SSLv3, TLSv1) The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. --- 473,479 ---- exclude from the Postfix SMTP server cipher list at mandatory TLS security levels. ! smtpd_tls_mandatory_protocols (!SSLv2) The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. diff -cr --new-file /var/tmp/postfix-2.9.1/man/man5/postconf.5 ./man/man5/postconf.5 *** /var/tmp/postfix-2.9.1/man/man5/postconf.5 Sat Jan 14 20:43:55 2012 --- ./man/man5/postconf.5 Tue Apr 24 15:20:56 2012 *************** *** 2639,2645 **** configuration parameter. See there for details. .PP This feature is available in Postfix 2.3 and later. ! .SH lmtp_tls_mandatory_protocols (default: SSLv3, TLSv1) The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details. .PP --- 2639,2645 ---- configuration parameter. See there for details. .PP This feature is available in Postfix 2.3 and later. ! .SH lmtp_tls_mandatory_protocols (default: !SSLv2) The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details. .PP *************** *** 6653,6659 **** attribute. See smtp_tls_policy_maps for notes and examples. .PP This feature is available in Postfix 2.3 and later. ! .SH smtp_tls_mandatory_protocols (default: SSLv3, TLSv1) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by whitespace, commas or colons. In the policy table "protocols" attribute --- 6653,6659 ---- attribute. See smtp_tls_policy_maps for notes and examples. .PP This feature is available in Postfix 2.3 and later. ! .SH smtp_tls_mandatory_protocols (default: !SSLv2) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by whitespace, commas or colons. In the policy table "protocols" attribute *************** *** 6661,6672 **** empty value means allow all protocols. The valid protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1". .PP With Postfix >= 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported; use the form you find more intuitive. .PP Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by --- 6661,6678 ---- empty value means allow all protocols. The valid protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1". .PP + Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled. + .PP With Postfix >= 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. .PP Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by *************** *** 6681,6689 **** .nf .na .ft C ! smtp_tls_mandatory_protocols = TLSv1 ! # Alternative form with Postfix >= 2.5: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 .fi .ad .ft R --- 6687,6696 ---- .nf .na .ft C ! # Preferred form with Postfix >= 2.5: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtp_tls_mandatory_protocols = TLSv1 .fi .ad .ft R *************** *** 6917,6930 **** protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1". .PP To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax. .PP Example: .nf --- 6924,6941 ---- protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1". .PP + Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled. + .PP To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, rather than protocols to exclude, is supported, but not ! recommended. The exclusion form more closely matches the behaviour ! when the OpenSSL library is newer than Postfix. .PP Example: .nf *************** *** 9554,9560 **** (see there for syntax details). .PP This feature is available in Postfix 2.3 and later. ! .SH smtpd_tls_mandatory_protocols (default: SSLv3, TLSv1) The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all available SSL/TLS protocol versions. A non-empty value is a list --- 9565,9571 ---- (see there for syntax details). .PP This feature is available in Postfix 2.3 and later. ! .SH smtpd_tls_mandatory_protocols (default: !SSLv2) The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all available SSL/TLS protocol versions. A non-empty value is a list *************** *** 9562,9573 **** names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. .PP With Postfix >= 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported, use the form you find more intuitive. .PP Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that --- 9573,9590 ---- names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. .PP + Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled. + .PP With Postfix >= 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. .PP Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that *************** *** 9599,9612 **** "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute values are separated by a colon. .PP To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax. .PP Example: .nf --- 9616,9633 ---- "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute values are separated by a colon. .PP + Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled. + .PP To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, rather than protocols to exclude, is supported, but not ! recommended. The exclusion form more closely matches the behaviour ! when the OpenSSL library is newer than Postfix. .PP Example: .nf diff -cr --new-file /var/tmp/postfix-2.9.1/man/man8/smtp.8 ./man/man8/smtp.8 *** /var/tmp/postfix-2.9.1/man/man8/smtp.8 Sat Jan 14 11:20:31 2012 --- ./man/man8/smtp.8 Tue Apr 24 15:30:36 2012 *************** *** 398,404 **** Optional lookup tables with the Postfix SMTP client TLS security policy by next-hop destination; when a non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. ! .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR" List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. .IP "\fBsmtp_tls_scert_verifydepth (9)\fR" --- 398,404 ---- Optional lookup tables with the Postfix SMTP client TLS security policy by next-hop destination; when a non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. ! .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR" List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. .IP "\fBsmtp_tls_scert_verifydepth (9)\fR" diff -cr --new-file /var/tmp/postfix-2.9.1/man/man8/smtpd.8 ./man/man8/smtpd.8 *** /var/tmp/postfix-2.9.1/man/man8/smtpd.8 Sun Jan 15 10:35:24 2012 --- ./man/man8/smtpd.8 Tue Apr 24 15:30:37 2012 *************** *** 399,405 **** .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" Additional list of ciphers or cipher types to exclude from the Postfix SMTP server cipher list at mandatory TLS security levels. ! .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR" The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. .IP "\fBsmtpd_tls_received_header (no)\fR" --- 399,405 ---- .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" Additional list of ciphers or cipher types to exclude from the Postfix SMTP server cipher list at mandatory TLS security levels. ! .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR" The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. .IP "\fBsmtpd_tls_received_header (no)\fR" diff -cr --new-file /var/tmp/postfix-2.9.1/proto/TLS_README.html ./proto/TLS_README.html *** /var/tmp/postfix-2.9.1/proto/TLS_README.html Tue Dec 6 10:21:13 2011 --- ./proto/TLS_README.html Tue Apr 24 13:07:22 2012 *************** *** 704,715 **** "export".--- 733,742 ---- smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! # Preferred form with Postfix ≥ 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtpd_tls_mandatory_protocols = TLSv1With mandatory TLS encryption, the Postfix SMTP server will by ! default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS protocols used with opportunistic TLS.
For a server that is not a public Internet MX host, Postfix supports configurations with no server certificates that use only the anonymous ciphers. This is --- 704,721 ---- "export".
With mandatory TLS encryption, the Postfix SMTP server will by ! default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS protocols used with opportunistic TLS.
+Note that the OpenSSL library only supports protocol exclusion + (not inclusion). For this reason, Postfix can exclude only protocols + that are known at the time the Postfix software is written. If new + protocols are added to the OpenSSL library, they cannot be excluded + without corresponding changes to the Postfix source code.
+For a server that is not a public Internet MX host, Postfix supports configurations with no server certificates that use only the anonymous ciphers. This is *************** *** 727,735 **** smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! smtpd_tls_mandatory_protocols = TLSv1 ! # Also available with Postfix ≥ 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS servers to preempt the TLS client's cipher preference list. ! This is only possible with SSLv3, as in SSLv2 the client chooses the ! cipher from a list supplied by the server.
By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server --- 780,787 ----
Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS servers to preempt the TLS client's cipher preference list. ! This is possible only with SSLv3 and later, as in SSLv2 the client ! chooses the cipher from a list supplied by the server.
By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server *************** *** 1010,1018 ****
Examples:
In the example below, traffic to example.com and its sub-domains ! via the corresponding MX hosts always uses TLS. The protocol version will be ! "SSLv3" or "TLSv1" (the default setting of smtp_tls_mandatory_protocols ! excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.
--- 1017,1025 ----Examples:
In the example below, traffic to example.com and its sub-domains ! via the corresponding MX hosts always uses TLS. The SSLv2 protocol ! will be disabled (the default setting of smtp_tls_mandatory_protocols ! excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.
*************** *** 1883,1889 **** "export".With mandatory TLS encryption, the Postfix SMTP client will by ! default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls --- 1890,1896 ---- "export".
With mandatory TLS encryption, the Postfix SMTP client will by ! default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls *************** *** 1897,1905 **** smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! smtp_tls_mandatory_protocols = SSLv3, TLSv1 ! # Also available with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 --- 1904,1913 ---- smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! # Preferred form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 + # Alternative form. + smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 diff -cr --new-file /var/tmp/postfix-2.9.1/proto/postconf.proto ./proto/postconf.proto *** /var/tmp/postfix-2.9.1/proto/postconf.proto Sat Jan 14 20:26:32 2012 --- ./proto/postconf.proto Tue Apr 24 13:07:22 2012 *************** *** 10457,10463 ****
This feature is available in Postfix 2.3 and later.
! %PARAM smtp_tls_mandatory_protocols SSLv3, TLSv1List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by --- 10457,10463 ----
This feature is available in Postfix 2.3 and later.
! %PARAM smtp_tls_mandatory_protocols !SSLv2List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by *************** *** 10466,10477 **** empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported; use the form you find more intuitive.
Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by --- 10466,10484 ---- empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
+Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.
+With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. !
Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by *************** *** 10484,10492 ****
Example:
! smtp_tls_mandatory_protocols = TLSv1 ! # Alternative form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
This feature is available in Postfix 2.3 and later.
--- 10491,10500 ----Example:
! # Preferred form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtp_tls_mandatory_protocols = TLSv1
This feature is available in Postfix 2.3 and later.
*************** *** 10616,10622 ****This feature is available in Postfix 2.3 and later.
! %PARAM lmtp_tls_mandatory_protocols SSLv3, TLSv1The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.
--- 10624,10630 ----This feature is available in Postfix 2.3 and later.
! %PARAM lmtp_tls_mandatory_protocols !SSLv2The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.
*************** *** 10637,10643 ****This feature is available in Postfix 2.3 and later.
! %PARAM smtpd_tls_mandatory_protocols SSLv3, TLSv1The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all --- 10645,10651 ----
This feature is available in Postfix 2.3 and later.
! %PARAM smtpd_tls_mandatory_protocols !SSLv2The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all *************** *** 10646,10657 **** names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported, use the form you find more intuitive.
Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that --- 10654,10672 ---- names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
+Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.
+With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. !
Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that *************** *** 11678,11691 **** protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax.
Example:
--- 11693,11710 ---- protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". +Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.
+To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, rather than protocols to exclude, is supported, but not ! recommended. The exclusion form more closely matches the behaviour ! when the OpenSSL library is newer than Postfix.
Example:
*************** *** 11708,11721 **** "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute values are separated by a colon.To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax.
Example:
--- 11727,11744 ---- "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute values are separated by a colon. +Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.
+To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, rather than protocols to exclude, is supported, but not ! recommended. The exclusion form more closely matches the behaviour ! when the OpenSSL library is newer than Postfix.
Example:
diff -cr --new-file /var/tmp/postfix-2.9.1/src/global/mail_params.h ./src/global/mail_params.h *** /var/tmp/postfix-2.9.1/src/global/mail_params.h Sat Jan 14 19:36:37 2012 --- ./src/global/mail_params.h Tue Apr 24 13:07:22 2012 *************** *** 1257,1263 **** extern char *var_smtpd_tls_proto; #define VAR_SMTPD_TLS_MAND_PROTO "smtpd_tls_mandatory_protocols" ! #define DEF_SMTPD_TLS_MAND_PROTO "SSLv3, TLSv1" extern char *var_smtpd_tls_mand_proto; #define VAR_SMTPD_TLS_CIPH "smtpd_tls_ciphers" --- 1257,1263 ---- extern char *var_smtpd_tls_proto; #define VAR_SMTPD_TLS_MAND_PROTO "smtpd_tls_mandatory_protocols" ! #define DEF_SMTPD_TLS_MAND_PROTO "!SSLv2" extern char *var_smtpd_tls_mand_proto; #define VAR_SMTPD_TLS_CIPH "smtpd_tls_ciphers" *************** *** 1470,1478 **** extern char *var_smtp_tls_proto; #define VAR_SMTP_TLS_MAND_PROTO "smtp_tls_mandatory_protocols" ! #define DEF_SMTP_TLS_MAND_PROTO "SSLv3, TLSv1" #define VAR_LMTP_TLS_MAND_PROTO "lmtp_tls_mandatory_protocols" ! #define DEF_LMTP_TLS_MAND_PROTO "SSLv3, TLSv1" extern char *var_smtp_tls_mand_proto; #define VAR_SMTP_TLS_VFY_CMATCH "smtp_tls_verify_cert_match" --- 1470,1478 ---- extern char *var_smtp_tls_proto; #define VAR_SMTP_TLS_MAND_PROTO "smtp_tls_mandatory_protocols" ! #define DEF_SMTP_TLS_MAND_PROTO "!SSLv2" #define VAR_LMTP_TLS_MAND_PROTO "lmtp_tls_mandatory_protocols" ! #define DEF_LMTP_TLS_MAND_PROTO "!SSLv2" extern char *var_smtp_tls_mand_proto; #define VAR_SMTP_TLS_VFY_CMATCH "smtp_tls_verify_cert_match" diff -cr --new-file /var/tmp/postfix-2.9.1/src/smtp/smtp.c ./src/smtp/smtp.c *** /var/tmp/postfix-2.9.1/src/smtp/smtp.c Sat Jan 14 11:16:21 2012 --- ./src/smtp/smtp.c Tue Apr 24 15:30:36 2012 *************** *** 368,374 **** /* Optional lookup tables with the Postfix SMTP client TLS security /* policy by next-hop destination; when a non-empty value is specified, /* this overrides the obsolete smtp_tls_per_site parameter. ! /* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR" /* List of SSL/TLS protocols that the Postfix SMTP client will use with /* mandatory TLS encryption. /* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR" --- 368,374 ---- /* Optional lookup tables with the Postfix SMTP client TLS security /* policy by next-hop destination; when a non-empty value is specified, /* this overrides the obsolete smtp_tls_per_site parameter. ! /* .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR" /* List of SSL/TLS protocols that the Postfix SMTP client will use with /* mandatory TLS encryption. /* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR" diff -cr --new-file /var/tmp/postfix-2.9.1/src/smtpd/smtpd.c ./src/smtpd/smtpd.c *** /var/tmp/postfix-2.9.1/src/smtpd/smtpd.c Fri Feb 17 09:25:38 2012 --- ./src/smtpd/smtpd.c Tue Apr 24 15:30:36 2012 *************** *** 367,373 **** /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" /* Additional list of ciphers or cipher types to exclude from the /* Postfix SMTP server cipher list at mandatory TLS security levels. ! /* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR" /* The SSL/TLS protocols accepted by the Postfix SMTP server with /* mandatory TLS encryption. /* .IP "\fBsmtpd_tls_received_header (no)\fR" --- 367,373 ---- /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" /* Additional list of ciphers or cipher types to exclude from the /* Postfix SMTP server cipher list at mandatory TLS security levels. ! /* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR" /* The SSL/TLS protocols accepted by the Postfix SMTP server with /* mandatory TLS encryption. /* .IP "\fBsmtpd_tls_received_header (no)\fR" diff -cr --new-file /var/tmp/postfix-2.9.1/src/tls/tls.h ./src/tls/tls.h *** /var/tmp/postfix-2.9.1/src/tls/tls.h Mon Dec 5 16:03:07 2011 --- ./src/tls/tls.h Tue Apr 24 13:07:22 2012 *************** *** 175,182 **** #define TLS_PROTOCOL_SSLv2 (1<<0) /* SSLv2 */ #define TLS_PROTOCOL_SSLv3 (1<<1) /* SSLv3 */ #define TLS_PROTOCOL_TLSv1 (1<<2) /* TLSv1 */ #define TLS_KNOWN_PROTOCOLS \ ! ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 ) extern int tls_protocol_mask(const char *); --- 175,193 ---- #define TLS_PROTOCOL_SSLv2 (1<<0) /* SSLv2 */ #define TLS_PROTOCOL_SSLv3 (1<<1) /* SSLv3 */ #define TLS_PROTOCOL_TLSv1 (1<<2) /* TLSv1 */ + #ifdef SSL_TXT_TLSV1_1 + #define TLS_PROTOCOL_TLSv1_1 (1<<3) /* TLSv1_1 */ + #else + #define TLS_PROTOCOL_TLSv1_1 0 /* Unknown */ + #endif + #ifdef SSL_TXT_TLSV1_2 + #define TLS_PROTOCOL_TLSv1_2 (1<<4) /* TLSv1_2 */ + #else + #define TLS_PROTOCOL_TLSv1_2 0 /* Unknown */ + #endif #define TLS_KNOWN_PROTOCOLS \ ! ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ ! | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 ) extern int tls_protocol_mask(const char *); diff -cr --new-file /var/tmp/postfix-2.9.1/src/tls/tls_client.c ./src/tls/tls_client.c *** /var/tmp/postfix-2.9.1/src/tls/tls_client.c Mon Dec 5 16:03:07 2011 --- ./src/tls/tls_client.c Tue Apr 24 13:07:22 2012 *************** *** 859,864 **** --- 859,870 ---- if (protomask != 0) SSL_set_options(TLScontext->con, ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) + #ifdef SSL_OP_NO_TLSv1_1 + | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) + #endif + #ifdef SSL_OP_NO_TLSv1_2 + | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L) + #endif | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L)); diff -cr --new-file /var/tmp/postfix-2.9.1/src/tls/tls_misc.c ./src/tls/tls_misc.c *** /var/tmp/postfix-2.9.1/src/tls/tls_misc.c Mon Dec 5 16:03:07 2011 --- ./src/tls/tls_misc.c Tue Apr 24 13:07:22 2012 *************** *** 224,229 **** --- 224,235 ---- SSL_TXT_SSLV2, TLS_PROTOCOL_SSLv2, SSL_TXT_SSLV3, TLS_PROTOCOL_SSLv3, SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1, + #ifdef SSL_TXT_TLSV1_1 + SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1, + #endif + #ifdef SSL_TXT_TLSV1_2 + SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2, + #endif 0, TLS_PROTOCOL_INVALID, }; diff -cr --new-file /var/tmp/postfix-2.9.1/src/tls/tls_server.c ./src/tls/tls_server.c *** /var/tmp/postfix-2.9.1/src/tls/tls_server.c Mon Dec 5 16:03:07 2011 --- ./src/tls/tls_server.c Tue Apr 24 13:07:22 2012 *************** *** 403,408 **** --- 403,414 ---- if (protomask != 0) SSL_CTX_set_options(server_ctx, ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) + #ifdef SSL_OP_NO_TLSv1_1 + | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) + #endif + #ifdef SSL_OP_NO_TLSv1_2 + | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L) + #endif | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L)); diff -cr --new-file /var/tmp/postfix-2.9.1/src/xsasl/xsasl_cyrus.h ./src/xsasl/xsasl_cyrus.h *** /var/tmp/postfix-2.9.1/src/xsasl/xsasl_cyrus.h Tue Dec 20 12:48:22 2005 --- ./src/xsasl/xsasl_cyrus.h Sun Apr 1 10:26:11 2012 *************** *** 26,31 **** --- 26,36 ---- extern XSASL_SERVER_IMPL *xsasl_cyrus_server_init(const char *, const char *); extern XSASL_CLIENT_IMPL *xsasl_cyrus_client_init(const char *, const char *); + /* + * Internal definitions for client and server module. + */ + typedef int (*XSASL_CYRUS_CB) (void); + #endif /* LICENSE diff -cr --new-file /var/tmp/postfix-2.9.1/src/xsasl/xsasl_cyrus_client.c ./src/xsasl/xsasl_cyrus_client.c *** /var/tmp/postfix-2.9.1/src/xsasl/xsasl_cyrus_client.c Sat Apr 18 19:39:30 2009 --- ./src/xsasl/xsasl_cyrus_client.c Sun Apr 1 10:26:11 2012 *************** *** 223,229 **** * Global callbacks. These have no per-session context. */ static sasl_callback_t callbacks[] = { ! {SASL_CB_LOG, &xsasl_cyrus_log, 0}, {SASL_CB_LIST_END, 0, 0} }; --- 223,229 ---- * Global callbacks. These have no per-session context. */ static sasl_callback_t callbacks[] = { ! {SASL_CB_LOG, (XSASL_CYRUS_CB) &xsasl_cyrus_log, 0}, {SASL_CB_LIST_END, 0, 0} }; *************** *** 302,310 **** { XSASL_CYRUS_CLIENT *client = 0; static sasl_callback_t callbacks[] = { ! {SASL_CB_USER, &xsasl_cyrus_client_get_user, 0}, ! {SASL_CB_AUTHNAME, &xsasl_cyrus_client_get_user, 0}, ! {SASL_CB_PASS, &xsasl_cyrus_client_get_passwd, 0}, {SASL_CB_LIST_END, 0, 0} }; sasl_conn_t *sasl_conn = 0; --- 302,310 ---- { XSASL_CYRUS_CLIENT *client = 0; static sasl_callback_t callbacks[] = { ! {SASL_CB_USER, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_user, 0}, ! {SASL_CB_AUTHNAME, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_user, 0}, ! {SASL_CB_PASS, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_passwd, 0}, {SASL_CB_LIST_END, 0, 0} }; sasl_conn_t *sasl_conn = 0; diff -cr --new-file /var/tmp/postfix-2.9.1/src/xsasl/xsasl_cyrus_server.c ./src/xsasl/xsasl_cyrus_server.c *** /var/tmp/postfix-2.9.1/src/xsasl/xsasl_cyrus_server.c Sat Apr 18 18:43:58 2009 --- ./src/xsasl/xsasl_cyrus_server.c Sun Apr 1 10:26:11 2012 *************** *** 170,176 **** #define NO_CALLBACK_CONTEXT 0 static sasl_callback_t callbacks[] = { ! {SASL_CB_LOG, &xsasl_cyrus_log, NO_CALLBACK_CONTEXT}, {SASL_CB_LIST_END, 0, 0} }; --- 170,176 ---- #define NO_CALLBACK_CONTEXT 0 static sasl_callback_t callbacks[] = { ! {SASL_CB_LOG, (XSASL_CYRUS_CB) &xsasl_cyrus_log, NO_CALLBACK_CONTEXT}, {SASL_CB_LIST_END, 0, 0} };