From 04f880d08ac8d69d561e09c8e80fce1146ff4b23 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Sat, 25 Jul 2020 00:00:00 -0500 Subject: [PATCH] postfix-3.6-20200725 --- postfix/HISTORY | 15 + postfix/README_FILES/TLS_README | 51 ++- postfix/html/TLS_README.html | 47 +- postfix/html/lmtp.8.html | 12 +- postfix/html/postconf.5.html | 411 ++++++++++------- postfix/html/posttls-finger.1.html | 40 +- postfix/html/smtp.8.html | 12 +- postfix/html/smtpd.8.html | 12 +- postfix/man/man1/posttls-finger.1 | 4 +- postfix/man/man5/postconf.5 | 466 ++++++++++++-------- postfix/man/man8/smtp.8 | 12 +- postfix/man/man8/smtpd.8 | 12 +- postfix/mantools/postconf2man | 2 +- postfix/proto/TLS_README.html | 47 +- postfix/proto/postconf.proto | 413 ++++++++++------- postfix/src/global/mail_params.h | 12 +- postfix/src/global/mail_version.h | 2 +- postfix/src/posttls-finger/posttls-finger.c | 6 +- postfix/src/smtp/smtp.c | 12 +- postfix/src/smtpd/smtpd.c | 12 +- postfix/src/tls/tls.h | 4 +- postfix/src/tls/tls_client.c | 18 +- postfix/src/tls/tls_fprint.c | 7 +- postfix/src/tls/tls_misc.c | 62 ++- postfix/src/tls/tls_server.c | 8 +- 25 files changed, 1048 insertions(+), 651 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index 414a33065..e141ce9c8 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -25008,3 +25008,18 @@ Apologies for any names omitted. Final cleanups of the peername matching code. File: tls/tls_client.c. + +202000725 + + Documentation of how to set the minimum and maximum allowed + TLS protocol versions (these override system-wide OpenSSL + configuration), some related code cleanups including better + warning messages. Viktor Dukhovni. Files: proto/TLS_README.html, + proto/postconf.proto, global/mail_params.h, + posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_client.c, + tls/tls_fprint.c, tls/tls_misc.c, tls/tls_server.c. + + The Postfix TLS library did not override the system-wide + OpenSSL configuration of allowed TLS protocol versions, for + sessions where the remote SMTP client sends SNI. File: + tls/tls_server.c. diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index 57ebbea99..282ea2b64 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -101,10 +101,10 @@ SMTP server configurations will not accidentally enable TLS without certificates. Note that server certificates are nnoott optional in TLS 1.3. To run without -certificates you'd have to disable the TLS 1.3 protocol by including '!TLSv1.3' -in "smtpd_tls_protocols" and perhaps also "smtpd_tls_mandatory_protocols". It -is simpler instead to just configure a certificate chain. Certificate-less -operation is not recommended. +certificates you'd have to disable the TLS 1.3 protocol by including +"<=TLSv1.2" (or, for Postfix < 3.6, "!TLSv1.3") in "smtpd_tls_protocols" and +perhaps also "smtpd_tls_mandatory_protocols". It is simpler instead to just +configure a certificate chain. Certificate-less operation is not recommended. RSA, DSA and ECDSA (Postfix >= 2.6) certificates are supported. Most sites only have RSA certificates. You can configure all three at the same time, in which @@ -632,8 +632,8 @@ With mandatory and opportunistic TLS encryption, the Postfix SMTP server by default disables SSLv2 and SSLv3 with Postfix releases after the middle of 2015; older releases only disable SSLv2 for mandatory TLS. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration -parameter. The smtpd_tls_protocols parameter (Postfix >= 2.6) controls the SSL/ -TLS protocols used with opportunistic TLS. +parameter. The smtpd_tls_protocols parameter (Postfix >= 2.6) controls the TLS +protocols used with opportunistic TLS. Note that the OpenSSL library only supports protocol exclusion (not inclusion). For this reason, Postfix can exclude only protocols that are known at the time @@ -649,8 +649,7 @@ configurations may not interoperate with some clients, and require that TLSv1.3 be explicitly disabled. Therefore, they are not recommended, it is better and simpler to just configure a suitable certificate. -Example, MSA that requires TLSv1 or higher, not SSLv2 or SSLv3, with high grade -ciphers: +Example, MSA that requires TLSv1.2 or higher, with high grade ciphers: /etc/postfix/main.cf: smtpd_tls_cert_file = /etc/postfix/cert.pem @@ -658,10 +657,10 @@ ciphers: smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt - # Preferred syntax with Postfix >= 2.5: - smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Preferred syntax with Postfix >= 3.6: + smtpd_tls_mandatory_protocols = >=TLSv1.2 # Legacy syntax: - smtpd_tls_mandatory_protocols = TLSv1 + smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 With Postfix >= 3.4, specify instead a single file that holds the key followed by the corresponding certificate and any associated issuing certificates, @@ -924,9 +923,10 @@ not specified consistently. submission /etc/postfix/tls_policy: - [example.net]:587 encrypt protocols=TLSv1 ciphers=high - [example.net]:msa encrypt protocols=TLSv1 ciphers=high - [example.net]:submission encrypt protocols=TLSv1 ciphers=high + # Postfix >= 3.6 "protocols" syntax + [example.net]:587 encrypt protocols=>=TLSv1.2 ciphers=high + # Legacy "protocols" syntax + [example.net]:msa encrypt protocols=!SSLv2:!SSLv3 ciphers=high DDAANNEE TTLLSS aauutthheennttiiccaattiioonn.. @@ -1835,8 +1835,11 @@ Example: [thumb.example.org] fingerprint match=b6:b4:72:34:e2:59:cd:fb:...:0d:4d:cc:2c:7d:84:de:e6:2f match=51:e9:af:2e:1e:40:1f:de:...:35:2d:09:16:31:5a:eb:82:76 - # Postfix 2.6 and later - example.info may protocols=!SSLv2 ciphers=medium + # Postfix >= 3.6 "protocols" syntax + example.info may protocols=>=TLSv1 ciphers=medium + exclude=3DES + # Legacy protocols syntax + example.info may protocols=!SSLv2:!SSLv3 ciphers=medium exclude=3DES NNoottee:: The "hostname" strategy if listed in a non-default setting of @@ -1909,8 +1912,8 @@ the minimum opportunistic TLS cipher grade is always "export". With mandatory and opportunistic TLS encryption, the Postfix SMTP client will by default disable SSLv2 and SSLv3. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The -corresponding smtp_tls_protocols parameter (Postfix >= 2.6) controls the SSL/ -TLS protocols used with opportunistic TLS. +corresponding smtp_tls_protocols parameter (Postfix >= 2.6) controls the TLS +protocols used with opportunistic TLS. Example: @@ -1918,13 +1921,13 @@ Example: smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL - # Preferred form with Postfix >= 2.5: - smtp_tls_mandatory_protocols = !SSLv2 - # Legacy form for Postfix < 2.5: - smtp_tls_mandatory_protocols = SSLv3, TLSv1 - # Also available with Postfix >= 2.6: smtp_tls_ciphers = medium - smtp_tls_protocols = !SSLv2 + # Preferred form with Postfix >= 3.6: + smtp_tls_mandatory_protocols = >=TLSv1.2 + smtp_tls_protocols = >=TLSv1 + # Legacy form for Postfix < 3.6: + smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 + smtp_tls_protocols = !SSLv2,!SSLv3 CClliieenntt--ssiiddee SSMMTTPPSS ssuuppppoorrtt diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index 4af1be12e..355426e0b 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -179,10 +179,10 @@ configurations will not accidentally enable TLS without certificates.

Note that server certificates are not optional in TLS 1.3. To run without certificates you'd have to disable the TLS 1.3 protocol by -including '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also -"smtpd_tls_mandatory_protocols". It is simpler instead to just -configure a certificate chain. Certificate-less operation is not -recommended.

+including "<=TLSv1.2" (or, for Postfix < 3.6, "!TLSv1.3") in +"smtpd_tls_protocols" and perhaps also "smtpd_tls_mandatory_protocols". +It is simpler instead to just configure a certificate chain. +Certificate-less operation is not recommended.

RSA, DSA and ECDSA (Postfix ≥ 2.6) certificates are supported. Most sites only have RSA certificates. You can configure all three @@ -891,7 +891,7 @@ after the middle of 2015; older releases only disable SSLv2 for mandatory TLS. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The smtpd_tls_protocols parameter (Postfix ≥ 2.6) -controls the SSL/TLS protocols used with opportunistic TLS.

+controls the TLS protocols used with opportunistic TLS.

Note that the OpenSSL library only supports protocol exclusion (not inclusion). For this reason, Postfix can exclude only protocols @@ -909,8 +909,8 @@ that TLSv1.3 be explicitly disabled. Therefore, they are not recommended, it is better and simpler to just configure a suitable certificate.

-

Example, MSA that requires TLSv1 or higher, not SSLv2 or SSLv3, -with high grade ciphers:

+

Example, MSA that requires TLSv1.2 or higher, with high grade +ciphers: 

@@ -920,10 +920,10 @@ with high grade ciphers: 

     smtpd_tls_mandatory_ciphers = high
     smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
     smtpd_tls_security_level = encrypt
-    # Preferred syntax with Postfix ≥ 2.5:
-    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+    # Preferred syntax with Postfix ≥ 3.6:
+    smtpd_tls_mandatory_protocols = >=TLSv1.2
     # Legacy syntax:
-    smtpd_tls_mandatory_protocols = TLSv1
+    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
@@ -1263,9 +1263,10 @@ just in case the transport table entries are not specified consistently.

submission 587/tcp msa # mail message submission /etc/postfix/tls_policy: - [example.net]:587 encrypt protocols=TLSv1 ciphers=high - [example.net]:msa encrypt protocols=TLSv1 ciphers=high - [example.net]:submission encrypt protocols=TLSv1 ciphers=high + # Postfix ≥ 3.6 "protocols" syntax + [example.net]:587 encrypt protocols=>=TLSv1.2 ciphers=high + # Legacy "protocols" syntax + [example.net]:msa encrypt protocols=!SSLv2:!SSLv3 ciphers=high @@ -2398,8 +2399,10 @@ Example: [thumb.example.org] fingerprint match=b6:b4:72:34:e2:59:cd:fb:...:0d:4d:cc:2c:7d:84:de:e6:2f match=51:e9:af:2e:1e:40:1f:de:...:35:2d:09:16:31:5a:eb:82:76 - # Postfix 2.6 and later - example.info may protocols=!SSLv2 ciphers=medium exclude=3DES + # Postfix ≥ 3.6 "protocols" syntax + example.info may protocols=>=TLSv1 ciphers=medium exclude=3DES + # Legacy protocols syntax + example.info may protocols=!SSLv2:!SSLv3 ciphers=medium exclude=3DES @@ -2494,7 +2497,7 @@ SMTP client will by default disable SSLv2 and SSLv3. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls -the SSL/TLS protocols used with opportunistic TLS.

+the TLS protocols used with opportunistic TLS.

Example:

@@ -2504,13 +2507,13 @@ the SSL/TLS protocols used with opportunistic TLS.

smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL - # Preferred form with Postfix ≥ 2.5: - smtp_tls_mandatory_protocols = !SSLv2 - # Legacy form for Postfix < 2.5: - smtp_tls_mandatory_protocols = SSLv3, TLSv1 - # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = medium - smtp_tls_protocols = !SSLv2 + # Preferred form with Postfix ≥ 3.6: + smtp_tls_mandatory_protocols = >=TLSv1.2 + smtp_tls_protocols = >=TLSv1 + # Legacy form for Postfix < 3.6: + smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 + smtp_tls_protocols = !SSLv2,!SSLv3 diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 3c20579ef..3da974ed7 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -508,9 +508,9 @@ SMTP(8) SMTP(8) policy by next-hop destination; when a non-empty value is speci- fied, this overrides the obsolete smtp_tls_per_site parameter. - smtp_tls_mandatory_protocols (!SSLv2, !SSLv3) - List of SSL/TLS protocols that the Postfix SMTP client will use - with mandatory TLS encryption. + smtp_tls_mandatory_protocols (see 'postconf -d' output) + TLS protocols that the Postfix SMTP client will use with manda- + tory TLS encryption. smtp_tls_scert_verifydepth (9) The verification depth for remote SMTP server certificates. @@ -573,9 +573,9 @@ SMTP(8) SMTP(8) Available in Postfix version 2.6 and later: - smtp_tls_protocols (!SSLv2, !SSLv3) - List of TLS protocols that the Postfix SMTP client will exclude - or include with opportunistic TLS encryption. + smtp_tls_protocols (see postconf -d output) + TLS protocols that the Postfix SMTP client will use with oppor- + tunistic TLS encryption. smtp_tls_ciphers (medium) The minimum TLS cipher grade that the Postfix SMTP client will diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 13d621cc6..d6a367043 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -5420,7 +5420,7 @@ configuration parameter. See there for details.

lmtp_tls_mandatory_protocols -(default: !SSLv2, !SSLv3)
+(default: see postconf -d output)

The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.

@@ -5464,7 +5464,7 @@ configuration parameter. See there for details.

lmtp_tls_protocols -(default: !SSLv2, !SSLv3)
+(default: see postconf -d output)

The LMTP-specific version of the smtp_tls_protocols configuration parameter. See there for details.

@@ -12881,74 +12881,92 @@ attribute. See smtp_tls_policy_ma
smtp_tls_mandatory_protocols -(default: !SSLv2, !SSLv3)
+(default: see "postconf -d" output)
-

List of SSL/TLS protocols that the Postfix SMTP client will use with -mandatory TLS encryption. In main.cf the values are separated by -whitespace, commas or colons. In the policy table "protocols" attribute -(see smtp_tls_policy_maps) the only valid separator is colon. An -empty value means allow all protocols. The valid protocol names, (see -SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". The -default value is "!SSLv2, !SSLv3" for Postfix releases after the -middle of 2015, "!SSLv2" for older releases.

+

TLS protocols that the Postfix SMTP client will use with mandatory +TLS encryption. In main.cf the values are separated by whitespace, +commas or colons. In the policy table "protocols" attribute (see +smtp_tls_policy_maps) the only valid separator is colon. An empty value +means allow all protocols.

-

With Postfix ≥ 2.5 the parameter syntax was expanded to support -protocol exclusions. One can explicitly exclude "SSLv2" by setting -"smtp_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and -"SSLv3" set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing -the protocols to include, rather than protocols to exclude, is -supported, but not recommended. The exclusion form more closely -matches the underlying OpenSSL interface semantics. -

+

The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

-

The range of protocols advertised by an SSL/TLS client must be -contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher version. -Thus, for example (assuming the OpenSSL library supports both SSLv2 -and SSLv3): -

+

As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set a lowest acceptable TLS protocol version +and/or a highest acceptable TLS protocol version. To set the lower +bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

+ +

Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

+ +

Hexadecimal example (Postfix ≥ 3.6):

-smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305
+# Allow only TLS 1.2 and up:
+smtp_tls_mandatory_protocols = >=0x0303
-

also disables any protocols version higher than TLSv1 leaving -only "SSLv3" enabled.

-

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" -and "TLSv1.2". When Postfix ≤ 2.5 is linked against OpenSSL 1.0.1 -or later, these, or any other new protocol versions, cannot be -disabled except by also disabling "TLSv1" (typically leaving just -"SSLv3"). The latest patch levels of Postfix ≥ 2.6, and all -versions of Postfix ≥ 2.10 can explicitly disable support for -"TLSv1.1" or "TLSv1.2".

+

With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtp_tls_mandatory_protocols = !SSLv2, +!SSLv3". Listing the protocols to include, rather than protocols to +exclude, is supported, but not recommended. The exclusion syntax more +accurately matches the underlying OpenSSL interface.

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) -this can be disabled, if need be, via "!TLSv1.3".

+

When using the exclusion syntax, take care to ensure that the range +of protocols supported by the Postfixm SMTP client is contiguous. When +a protocol version is enabled, disabling any higher version implicitly +disables all versions above that higher version. Thus, for example:

-

At the dane and -dane-only security -levels, when usable TLSA records are obtained for the remote SMTP -server, the Postfix SMTP client is obligated to include the SNI TLS -extension in its SSL client hello message. This may help the remote -SMTP server live up to its promise to provide a certificate that -matches its TLSA records. Since TLS extensions require TLS 1.0 or -later, the Postfix SMTP client must disable "SSLv2" and "SSLv3" when -SNI is required. If you use "dane" or "dane-only" do not disable -TLSv1, except perhaps via the policy table for destinations which -you are sure will support "TLSv1.1" or "TLSv1.2".

+
+
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
+
+
+ +

also disables any protocols version higher than TLSv1.1 leaving +only "TLSv1" enabled.

+ +

Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

+ +

While the vast majority of SMTP servers with DANE TLSA records now +support at least TLS 1.2, a few still only support TLS 1.0. If you use +"dane" or "dane-only" it is best to not disable TLSv1, except perhaps +via the policy table for destinations which you are sure will support +"TLSv1.2".

See the documentation of the smtp_tls_policy_maps parameter and TLS_README for more information about security levels.

Example:

- 
-# Preferred syntax with Postfix ≥ 2.5:
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+# Preferred syntax with Postfix ≥ 3.6:
+smtp_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
 # Legacy syntax:
-smtp_tls_mandatory_protocols = TLSv1
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

This feature is available in Postfix 2.3 and later.

@@ -13240,54 +13258,81 @@ configurations in environments where DNS security is not assured.

smtp_tls_protocols -(default: !SSLv2, !SSLv3)
+(default: see postconf -d output)
-

List of TLS protocols that the Postfix SMTP client will exclude or -include with opportunistic TLS encryption. The default value is -"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015, -"!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP -client would use all protocols with opportunistic TLS.

+

TLS protocols that the Postfix SMTP client will use with +opportunistic TLS encryption. In main.cf the values are separated by +whitespace, commas or colons. In the policy table "protocols" attribute +(see smtp_tls_policy_maps) the only valid separator is colon. An empty +value means allow all protocols.

-

In main.cf the values are separated by whitespace, commas or -colons. In the policy table (see smtp_tls_policy_maps) the only valid -separator is colon. An empty value means allow all protocols. The valid -protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" -and "TLSv1".

+

The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

-

The range of protocols advertised by an SSL/TLS client must be -contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher version. -Thus, for example (assuming the OpenSSL library supports both SSLv2 -and SSLv3): +

As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set the lowest acceptable TLS protocol +version and/or the highest acceptable TLS protocol version. To set the +lower bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

+ +

Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

+ +

Hexadecimal example (Postfix ≥ 3.6):

+
+
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtp_tls_protocols = >=TLSv1, <=0305
+# Allow only TLS 1.0 and up:
+smtp_tls_protocols = >=0x0301
+
+
+ +

With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtp_tls_protocols = !SSLv2, !SSLv3". +Listing the protocols to include, rather than protocols to exclude, is +supported, but not recommended. The exclusion form more accurately +matches the underlying OpenSSL interface.

+ +

When using the exclusion syntax, take care to ensure that the range of +protocols advertised by an SSL/TLS client is contiguous. When a protocol +version is enabled, disabling any higher version implicitly disables all +versions above that higher version. Thus, for example: 

-smtp_tls_protocols = !SSLv2, !TLSv1
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1
-

also disables any protocols version higher than TLSv1 leaving -only "SSLv3" enabled.

+

also disables any protocols version higher than TLSv1.1 leaving +only "TLSv1" enabled.

-

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" -and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all -versions of Postfix ≥ 2.10 can explicitly disable support for -"TLSv1.1" or "TLSv1.2"

- -

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) -this can be disabled, if need be, via "!TLSv1.3".

- -

To include a protocol list its name, to exclude it, prefix the name -with a "!" character. To exclude SSLv2 for opportunistic TLS set -"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set -"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to -include, rather than protocols to exclude, is supported, but not -recommended. The exclusion form more closely matches the underlying -OpenSSL interface semantics.

+

Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

Example: 

-# TLSv1 or better:
+# Preferred syntax with Postfix ≥ 3.6:
+smtp_tls_protocols = >=TLSv1, <=TLSv1.3
+# Legacy syntax:
 smtp_tls_protocols = !SSLv2, !SSLv3
@@ -13479,12 +13524,13 @@ Examples: 
 # Opportunistic TLS.
 smtp_tls_security_level = may
-# Postfix ≥ 2.6:
 # Do not tweak opportunistic ciphers or protocol unless it is essential
 # to do so (if a security vulnerability is found in the SSL library that
 # can be mitigated by disabling a particular protocol or raising the
-# cipher grade from "export" to "low" or "medium").
-smtp_tls_ciphers = export
+# cipher grade).
+smtp_tls_ciphers = medium
+smtp_tls_protocols = >=TLSv1
+# Legacy (Postfix < 3.6) syntax:
 smtp_tls_protocols = !SSLv2, !SSLv3
@@ -13495,33 +13541,27 @@ Examples: 
-# Mandatory TLS verification of hostname or nexthop domain.
-smtp_tls_security_level = verify
-smtp_tls_mandatory_ciphers = high
-smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
-
- -
-# Secure channel TLS with exact nexthop name match.
+# Authenticated TLS 1.2 or better matching the nexthop domain or a
+# subdomain.
 smtp_tls_security_level = secure
-smtp_tls_mandatory_protocols = TLSv1
 smtp_tls_mandatory_ciphers = high
-smtp_tls_secure_cert_match = nexthop
+smtp_tls_mandatory_protocols = >=TLSv1.2
+smtp_tls_secure_cert_match = nexthop, dot-nexthop
 
 # Certificate fingerprint verification (Postfix ≥ 2.5).
 # The CA-less "fingerprint" security level only scales to a limited
 # number of destinations. As a global default rather than a per-site
-# setting, this is practical when mail for all recipients is sent
+# setting, this is practical only when mail for all recipients is sent
 # to a central mail hub.
 relayhost = [mailhub.example.com]
 smtp_tls_security_level = fingerprint
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_mandatory_protocols = >=TLSv1.2
 smtp_tls_mandatory_ciphers = high
 smtp_tls_fingerprint_cert_match =
-    3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
-    EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+    3D:95:34:51:...:40:99:C0:C1
+    EC:3B:2D:B0:...:A3:9D:72:F6

This feature is available in Postfix 2.3 and later.

@@ -17639,43 +17679,69 @@ works in addition to the exclusions listed with smtpd_tls_mandatory_protocols -(default: !SSLv2, !SSLv3)
+(default: see "postconf -d" output)
-

The SSL/TLS protocols accepted by the Postfix SMTP server with -mandatory TLS encryption. If the list is empty, the server supports -all available SSL/TLS protocol versions. A non-empty value is a -list of protocol names separated by whitespace, commas or colons. -The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and -are not case sensitive. The default value is "!SSLv2, !SSLv3" for -Postfix releases after the middle of 2015, "!SSLv2" for older -releases.

+

TLS protocols accepted by the Postfix SMTP server with mandatory TLS +encryption. If the list is empty, the server supports all available TLS +protocol versions. A non-empty value is a list of protocol names to +include or exclude, separated by whitespace, commas or colons.

-

With Postfix ≥ 2.5 the parameter syntax was expanded to support -protocol exclusions. One can explicitly exclude "SSLv2" by setting -"smtpd_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and -"SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing -the protocols to include, rather than protocols to exclude, is -supported, but not recommended. The exclusion form more closely -matches the underlying OpenSSL interface semantics.

+

The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

-

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" -and "TLSv1.2". When Postfix ≤ 2.5 is linked against OpenSSL 1.0.1 -or later, these, or any other new protocol versions, cannot be -disabled. The latest patch levels of Postfix ≥ 2.6, and all -versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or -"TLSv1.2".

+

As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set the lowest acceptable TLS protocol +version and/or the highest acceptable TLS protocol version. To set the +lower bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) -this can be disabled, if need be, via "!TLSv1.3".

+

Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

+ +

Hexadecimal example (Postfix ≥ 3.6):

+
+
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305
+# Allow only TLS 1.2 and up:
+smtpd_tls_mandatory_protocols = >=0x0303
+
+
+ +

With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtpd_tls_mandatory_protocols = +!SSLv2, !SSLv3". Listing the protocols to include, rather than +protocols to exclude, is supported, but not recommended. The exclusion +form more accurately matches the underlying OpenSSL interface.

+ +

Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

Example: 

-# Preferred syntax with Postfix ≥ 2.5:
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+# Preferred syntax with Postfix ≥ 3.6:
+smtpd_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
 # Legacy syntax:
-smtpd_tls_mandatory_protocols = TLSv1
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

This feature is available in Postfix 2.3 and later.

@@ -17684,36 +17750,67 @@ this can be disabled, if need be, via "!TLSv1.3".

smtpd_tls_protocols -(default: !SSLv2, !SSLv3)
+(default: see postconf -d output)
-

List of TLS protocols that the Postfix SMTP server will exclude -or include with opportunistic TLS encryption. The default value is -"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015, -empty for older releases allowing all protocols to be -used with opportunistic TLS. A non-empty value is a list of protocol -names separated by whitespace, commas or colons. The supported -protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case -sensitive.

+

TLS protocols accepted by the Postfix SMTP server with opportunistic +TLS encryption. If the list is empty, the server supports all available +TLS protocol versions. A non-empty value is a list of protocol names to +include or exclude, separated by whitespace, commas or colons.

-

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" -and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all -versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or -"TLSv1.2".

+

The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) -this can be disabled, if need be, via "!TLSv1.3".

+

As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set the lowest acceptable TLS protocol +version and/or the highest acceptable TLS protocol version. To set the +lower bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

-

To include a protocol list its name, to exclude it, prefix the name -with a "!" character. To exclude SSLv2 for opportunistic TLS set -"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set -"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to -include, rather than protocols to exclude, is supported, but not -recommended. The exclusion form more closely matches the underlying -OpenSSL interface semantics.

+

Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

+ +

Hexadecimal example (Postfix ≥ 3.6):

+
+
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtpd_tls_protocols = >=TLSv1, <=0305
+# Allow only TLS 1.0 and up:
+smtpd_tls_protocols = >=0x0301
+
+
+ +

With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtpd_tls_protocols = !SSLv2, !SSLv3". +Listing the protocols to include, rather than protocols to exclude, is +supported, but not recommended. The exclusion form more accurately +matches the underlying OpenSSL interface.

+ +

Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

Example: 

+# Preferred syntax with Postfix ≥ 3.6:
+smtpd_tls_protocols = >=TLSv1, <=TLSv1.3
+# Legacy syntax:
 smtpd_tls_protocols = !SSLv2, !SSLv3
diff --git a/postfix/html/posttls-finger.1.html b/postfix/html/posttls-finger.1.html index fd9d83baa..9d898d245 100644 --- a/postfix/html/posttls-finger.1.html +++ b/postfix/html/posttls-finger.1.html @@ -4,7 +4,7 @@ Postfix manual - posttls-finger(1) 
-POSTTLS-FINGER(1)           General Commands Manual          POSTTLS-FINGER(1)
+POSTTLS-FINGER(1)                                            POSTTLS-FINGER(1)
 
 NAME
        posttls-finger - Probe the TLS properties of an ESMTP or LMTP server.
@@ -255,9 +255,9 @@ POSTTLS-FINGER(1)           General Commands Manual          POSTTLS-FINGER(1)
               ing the values of TLS library  parameters,  or  "myhostname"  to
               configure the SMTP EHLO name sent to the remote server.
 
-       -p protocols (default: !SSLv2)
-              List  of  TLS  protocols  that  posttls-finger  will  exclude or
-              include.  See smtp_tls_mandatory_protocols for details.
+       -p protocols (default: >=TLSv1)
+              TLS  protocols that posttls-finger will exclude or include.  See
+              smtp_tls_mandatory_protocols for details.
 
        -P CApath/ (default: none)
               The OpenSSL CApath/  directory  (indexed  via  c_rehash(1))  for
@@ -288,31 +288,31 @@ POSTTLS-FINGER(1)           General Commands Manual          POSTTLS-FINGER(1)
               reading the remote server's 220 banner.
 
        -T timeout (default: 30)
-              The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT.
+              The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and  QUIT.
 
-       -v     Enable verbose Postfix  logging.   Specify  more  than  once  to
+       -v     Enable  verbose  Postfix  logging.   Specify  more  than once to
               increase the level of verbose logging.
 
-       -w     Enable  outgoing  TLS  wrapper  mode, or SMTPS support.  This is
-              typically provided on port 465 by servers  that  are  compatible
-              with  the  ad-hoc SMTP in SSL protocol, rather than the standard
+       -w     Enable outgoing TLS wrapper mode, or  SMTPS  support.   This  is
+              typically  provided  on  port 465 by servers that are compatible
+              with the ad-hoc SMTP in SSL protocol, rather than  the  standard
               STARTTLS protocol.  The destination domain:port should of course
               provide such a service.
 
-       -X     Enable  tlsproxy(8)  mode. This is an unsupported mode, for pro-
+       -X     Enable tlsproxy(8) mode. This is an unsupported mode,  for  pro-
               gram development only.
 
        [inet:]domain[:port]
               Connect via TCP to domain domain, port port. The default port is
-              smtp  (or 24 with LMTP).  With SMTP an MX lookup is performed to
-              resolve the domain to a host, unless the domain is  enclosed  in
-              [].   If you want to connect to a specific MX host, for instance
-              mx1.example.com, specify [mx1.example.com]  as  the  destination
+              smtp (or 24 with LMTP).  With SMTP an MX lookup is performed  to
+              resolve  the  domain to a host, unless the domain is enclosed in
+              [].  If you want to connect to a specific MX host, for  instance
+              mx1.example.com,  specify  [mx1.example.com]  as the destination
               and example.com as a match argument.  When using DNS, the desti-
-              nation domain is assumed fully qualified and no  default  domain
-              or  search  suffixes  are  applied; you must use fully-qualified
-              names or also enable native host lookups  (these  don't  support
-              dane  or dane-only as no DNSSEC validation information is avail-
+              nation  domain  is assumed fully qualified and no default domain
+              or search suffixes are applied;  you  must  use  fully-qualified
+              names  or  also  enable native host lookups (these don't support
+              dane or dane-only as no DNSSEC validation information is  avail-
               able via native lookups).
 
        unix:pathname
@@ -321,8 +321,8 @@ POSTTLS-FINGER(1)           General Commands Manual          POSTTLS-FINGER(1)
        match ...
               With no match arguments specified, certificate peername matching
               uses the compiled-in default strategies for each security level.
-              If you specify one or more arguments, these will be used as  the
-              list  of certificate or public-key digests to match for the fin-
+              If  you specify one or more arguments, these will be used as the
+              list of certificate or public-key digests to match for the  fin-
               gerprint level, or as the list of DNS names to match in the cer-
               tificate at the verify and secure levels.  If the security level
               is dane, or dane-only the match names are ignored, and hostname,
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index 3c20579ef..3da974ed7 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -508,9 +508,9 @@ SMTP(8)                                                                SMTP(8)
               policy by next-hop destination; when a non-empty value is speci-
               fied, this overrides the obsolete smtp_tls_per_site parameter.
 
-       smtp_tls_mandatory_protocols (!SSLv2, !SSLv3)
-              List of SSL/TLS protocols that the Postfix SMTP client will  use
-              with mandatory TLS encryption.
+       smtp_tls_mandatory_protocols (see 'postconf -d' output)
+              TLS protocols that the Postfix SMTP client will use with  manda-
+              tory TLS encryption.
 
        smtp_tls_scert_verifydepth (9)
               The verification depth for remote SMTP server certificates.
@@ -573,9 +573,9 @@ SMTP(8)                                                                SMTP(8)
 
        Available in Postfix version 2.6 and later:
 
-       smtp_tls_protocols (!SSLv2, !SSLv3)
-              List  of TLS protocols that the Postfix SMTP client will exclude
-              or include with opportunistic TLS encryption.
+       smtp_tls_protocols (see postconf -d output)
+              TLS  protocols that the Postfix SMTP client will use with oppor-
+              tunistic TLS encryption.
 
        smtp_tls_ciphers (medium)
               The minimum TLS cipher grade that the Postfix SMTP  client  will
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index 1258376b7..6a408c991 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -475,9 +475,9 @@ SMTPD(8)                                                              SMTPD(8)
               Postfix  SMTP  server cipher list at mandatory TLS security lev-
               els.
 
-       smtpd_tls_mandatory_protocols (!SSLv2, !SSLv3)
-              The SSL/TLS protocols accepted by the Postfix SMTP  server  with
-              mandatory TLS encryption.
+       smtpd_tls_mandatory_protocols (see 'postconf -d' output)
+              TLS protocols accepted by the Postfix SMTP server with mandatory
+              TLS encryption.
 
        smtpd_tls_received_header (no)
               Request that the Postfix SMTP server produces Received:  message
@@ -524,9 +524,9 @@ SMTPD(8)                                                              SMTPD(8)
 
        Available in Postfix version 2.6 and later:
 
-       smtpd_tls_protocols (!SSLv2, !SSLv3)
-              List  of TLS protocols that the Postfix SMTP server will exclude
-              or include with opportunistic TLS encryption.
+       smtpd_tls_protocols (see postconf -d output)
+              TLS  protocols  accepted  by the Postfix SMTP server with oppor-
+              tunistic TLS encryption.
 
        smtpd_tls_ciphers (medium)
               The minimum TLS cipher grade that the Postfix SMTP  server  will
diff --git a/postfix/man/man1/posttls-finger.1 b/postfix/man/man1/posttls-finger.1
index 93995eed6..699ff8d53 100644
--- a/postfix/man/man1/posttls-finger.1
+++ b/postfix/man/man1/posttls-finger.1
@@ -230,8 +230,8 @@ Specify zero or more times to override the value of the main.cf
 parameter \fIname\fR with \fIvalue\fR.  Possible use\-cases include
 overriding the values of TLS library parameters, or "myhostname" to
 configure the SMTP EHLO name sent to the remote server.
-.IP "\fB\-p \fIprotocols\fR (default: !SSLv2)"
-List of TLS protocols that posttls\-finger will exclude or include.  See
+.IP "\fB\-p \fIprotocols\fR (default: >=TLSv1)"
+TLS protocols that posttls\-finger will exclude or include.  See
 smtp_tls_mandatory_protocols for details.
 .IP "\fB\-P \fICApath/\fR (default: none)"
 The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 9f7e8a782..c4cd25ee0 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -3242,7 +3242,7 @@ The LMTP\-specific version of the smtp_tls_mandatory_exclude_ciphers
 configuration parameter.  See there for details.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH lmtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)
+.SH lmtp_tls_mandatory_protocols (default: see postconf \-d output)
 The LMTP\-specific version of the smtp_tls_mandatory_protocols
 configuration parameter. See there for details.
 .PP
@@ -3262,7 +3262,7 @@ The LMTP\-specific version of the smtp_tls_policy_maps
 configuration parameter. See there for details.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH lmtp_tls_protocols (default: !SSLv2, !SSLv3)
+.SH lmtp_tls_protocols (default: see postconf \-d output)
 The LMTP\-specific version of the smtp_tls_protocols configuration
 parameter. See there for details.
 .PP
@@ -8373,78 +8373,102 @@ specified on a per\-destination basis via the TLS policy "exclude"
 attribute. See smtp_tls_policy_maps for notes and examples.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)
-List of SSL/TLS protocols that the Postfix SMTP client will use with
-mandatory TLS encryption.  In main.cf the values are separated by
-whitespace, commas or colons. In the policy table "protocols" attribute
-(see smtp_tls_policy_maps) the only valid separator is colon. An
-empty value means allow all protocols. The valid protocol names, (see
-\\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1". The
-default value is "!SSLv2, !SSLv3" for Postfix releases after the
-middle of 2015, "!SSLv2" for older releases.
+.SH smtp_tls_mandatory_protocols (default: see "postconf \-d" output)
+TLS protocols that the Postfix SMTP client will use with mandatory
+TLS encryption.  In main.cf the values are separated by whitespace,
+commas or colons. In the policy table "protocols" attribute (see
+smtp_tls_policy_maps) the only valid separator is colon. An empty value
+means allow all protocols.
 .PP
-With Postfix >= 2.5 the parameter syntax was expanded to support
-protocol exclusions. One can explicitly exclude "SSLv2" by setting
-"smtp_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
-"SSLv3" set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
-the protocols to include, rather than protocols to exclude, is
-supported, but not recommended. The exclusion form more closely
-matches the underlying OpenSSL interface semantics.
+The valid protocol names (see \fBSSL_get_version\fR(3)) are "SSLv2",
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
+Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as
+the lowest supported TLS protocol version (see below).  Older releases
+use the "!" exclusion syntax, also described below.
 .PP
-The range of protocols advertised by an SSL/TLS client must be
-contiguous.  When a protocol version is enabled, disabling any
-higher version implicitly disables all versions above that higher version.
-Thus, for example (assuming the OpenSSL library supports both SSLv2
-and SSLv3):
+As of Postfix 3.6, the preferred way to limit the range of
+acceptable protocols is to set a lowest acceptable TLS protocol version
+and/or a highest acceptable TLS protocol version.  To set the lower
+bound include an element of the form: ">=\fIversion\fR" where
+\fIversion\fR is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "<=\fIversion\fR".  There must be no whitespace between
+the ">=" or "<=" symbols and the protocol name or number.
+.PP
+Hexadecimal protocol numbers make it possible to specify protocol
+bounds for TLS versions that are known to OpenSSL, but might not be
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version.
+.PP
+Hexadecimal example (Postfix >= 3.6):
 .sp
 .in +4
 .nf
 .na
 .ft C
-smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305
+# Allow only TLS 1.2 and up:
+smtp_tls_mandatory_protocols = >=0x0303
 .fi
 .ad
 .ft R
 .in -4
-also disables any protocols version higher than TLSv1 leaving
-only "SSLv3" enabled.
 .PP
-Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
-and "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1
-or later, these, or any other new protocol versions, cannot be
-disabled except by also disabling "TLSv1" (typically leaving just
-"SSLv3").  The latest patch levels of Postfix >= 2.6, and all
-versions of Postfix >= 2.10 can explicitly disable support for
-"TLSv1.1" or "TLSv1.2".
+With Postfix < 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "smtp_tls_mandatory_protocols = !SSLv2,
+!SSLv3". Listing the protocols to include, rather than protocols to
+exclude, is supported, but not recommended.  The exclusion syntax more
+accurately matches the underlying OpenSSL interface.
 .PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
->= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
-this can be disabled, if need be, via "!TLSv1.3".
+When using the exclusion syntax, take care to ensure that the range
+of protocols supported by the Postfixm SMTP client is contiguous.  When
+a protocol version is enabled, disabling any higher version implicitly
+disables all versions above that higher version.  Thus, for example:
+.sp
+.in +4
+.nf
+.na
+.ft C
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
+.fi
+.ad
+.ft R
+.in -4
 .PP
-At the dane and
-dane\-only security
-levels, when usable TLSA records are obtained for the remote SMTP
-server, the Postfix SMTP client is obligated to include the SNI TLS
-extension in its SSL client hello message.  This may help the remote
-SMTP server live up to its promise to provide a certificate that
-matches its TLSA records.  Since TLS extensions require TLS 1.0 or
-later, the Postfix SMTP client must disable "SSLv2" and "SSLv3" when
-SNI is required.  If you use "dane" or "dane\-only" do not disable
-TLSv1, except perhaps via the policy table for destinations which
-you are sure will support "TLSv1.1" or "TLSv1.2".
+also disables any protocols version higher than TLSv1.1 leaving
+only "TLSv1" enabled.
+.PP
+Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
+.PP
+While the vast majority of SMTP servers with DANE TLSA records now
+support at least TLS 1.2, a few still only support TLS 1.0.  If you use
+"dane" or "dane\-only" it is best to not disable TLSv1, except perhaps
+via the policy table for destinations which you are sure will support
+"TLSv1.2".
 .PP
 See the documentation of the smtp_tls_policy_maps parameter and
 TLS_README for more information about security levels.
 .PP
 Example:
-.PP
 .nf
 .na
 .ft C
-# Preferred syntax with Postfix >= 2.5:
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+# Preferred syntax with Postfix >= 3.6:
+smtp_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
 # Legacy syntax:
-smtp_tls_mandatory_protocols = TLSv1
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 .fi
 .ad
 .ft R
@@ -8716,59 +8740,91 @@ DNS forgery. Do not use the \fBhostname\fR strategy for secure\-channel
 configurations in environments where DNS security is not assured.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtp_tls_protocols (default: !SSLv2, !SSLv3)
-List of TLS protocols that the Postfix SMTP client will exclude or
-include with opportunistic TLS encryption. The default value is
-"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
-"!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP
-client would use all protocols with opportunistic TLS.
+.SH smtp_tls_protocols (default: see postconf \-d output)
+TLS protocols that the Postfix SMTP client will use with
+opportunistic TLS encryption.  In main.cf the values are separated by
+whitespace, commas or colons. In the policy table "protocols" attribute
+(see smtp_tls_policy_maps) the only valid separator is colon.  An empty
+value means allow all protocols.
 .PP
-In main.cf the values are separated by whitespace, commas or
-colons. In the policy table (see smtp_tls_policy_maps) the only valid
-separator is colon. An empty value means allow all protocols. The valid
-protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3"
-and "TLSv1".
+The valid protocol names (see \fBSSL_get_version\fR(3)) are "SSLv2",
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
+Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as
+the lowest supported TLS protocol version (see below).  Older releases
+use the "!" exclusion syntax, also described below.
 .PP
-The range of protocols advertised by an SSL/TLS client must be
-contiguous.  When a protocol version is enabled, disabling any
-higher version implicitly disables all versions above that higher version.
-Thus, for example (assuming the OpenSSL library supports both SSLv2
-and SSLv3):
+As of Postfix 3.6, the preferred way to limit the range of
+acceptable protocols is to set the lowest acceptable TLS protocol
+version and/or the highest acceptable TLS protocol version.  To set the
+lower bound include an element of the form: ">=\fIversion\fR" where
+\fIversion\fR is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "<=\fIversion\fR".  There must be no whitespace between
+the ">=" or "<=" symbols and the protocol name or number.
+.PP
+Hexadecimal protocol numbers make it possible to specify protocol
+bounds for TLS versions that are known to OpenSSL, but might not be
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version.
+.PP
+Hexadecimal example (Postfix >= 3.6):
 .sp
 .in +4
 .nf
 .na
 .ft C
-smtp_tls_protocols = !SSLv2, !TLSv1
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtp_tls_protocols = >=TLSv1, <=0305
+# Allow only TLS 1.0 and up:
+smtp_tls_protocols = >=0x0301
 .fi
 .ad
 .ft R
 .in -4
-also disables any protocols version higher than TLSv1 leaving
-only "SSLv3" enabled.
 .PP
-Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
-and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
-versions of Postfix >= 2.10 can explicitly disable support for
-"TLSv1.1" or "TLSv1.2"
+With Postfix < 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "smtp_tls_protocols = !SSLv2, !SSLv3".
+Listing the protocols to include, rather than protocols to exclude, is
+supported, but not recommended.  The exclusion form more accurately
+matches the underlying OpenSSL interface.
 .PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
->= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
-this can be disabled, if need be, via "!TLSv1.3".
+When using the exclusion syntax, take care to ensure that the range of
+protocols advertised by an SSL/TLS client is contiguous.  When a protocol
+version is enabled, disabling any higher version implicitly disables all
+versions above that higher version.  Thus, for example:
+.sp
+.in +4
+.nf
+.na
+.ft C
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1
+.fi
+.ad
+.ft R
+.in -4
+also disables any protocols version higher than TLSv1.1 leaving
+only "TLSv1" enabled.
 .PP
-To include a protocol list its name, to exclude it, prefix the name
-with a "!" character. To exclude SSLv2 for opportunistic TLS set
-"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
-"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, rather than protocols to exclude, is supported, but not
-recommended.  The exclusion form more closely matches the underlying
-OpenSSL interface semantics.
+Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
 .PP
 Example:
 .nf
 .na
 .ft C
-# TLSv1 or better:
+# Preferred syntax with Postfix >= 3.6:
+smtp_tls_protocols = >=TLSv1, <=TLSv1.3
+# Legacy syntax:
 smtp_tls_protocols = !SSLv2, !SSLv3
 .fi
 .ad
@@ -8947,12 +9003,13 @@ smtp_tls_security_level = none
 .ft C
 # Opportunistic TLS.
 smtp_tls_security_level = may
-# Postfix >= 2.6:
 # Do not tweak opportunistic ciphers or protocol unless it is essential
 # to do so (if a security vulnerability is found in the SSL library that
 # can be mitigated by disabling a particular protocol or raising the
-# cipher grade from "export" to "low" or "medium").
-smtp_tls_ciphers = export
+# cipher grade).
+smtp_tls_ciphers = medium
+smtp_tls_protocols = >=TLSv1
+# Legacy (Postfix < 3.6) syntax:
 smtp_tls_protocols = !SSLv2, !SSLv3
 .fi
 .ad
@@ -8971,22 +9028,12 @@ smtp_tls_mandatory_ciphers = high
 .nf
 .na
 .ft C
-# Mandatory TLS verification of hostname or nexthop domain.
-smtp_tls_security_level = verify
-smtp_tls_mandatory_ciphers = high
-smtp_tls_verify_cert_match = hostname, nexthop, dot\-nexthop
-.fi
-.ad
-.ft R
-.PP
-.nf
-.na
-.ft C
-# Secure channel TLS with exact nexthop name match.
+# Authenticated TLS 1.2 or better matching the nexthop domain or a
+# subdomain.
 smtp_tls_security_level = secure
-smtp_tls_mandatory_protocols = TLSv1
 smtp_tls_mandatory_ciphers = high
-smtp_tls_secure_cert_match = nexthop
+smtp_tls_mandatory_protocols = >=TLSv1.2
+smtp_tls_secure_cert_match = nexthop, dot\-nexthop
 .fi
 .ad
 .ft R
@@ -8997,15 +9044,15 @@ smtp_tls_secure_cert_match = nexthop
 # Certificate fingerprint verification (Postfix >= 2.5).
 # The CA\-less "fingerprint" security level only scales to a limited
 # number of destinations. As a global default rather than a per\-site
-# setting, this is practical when mail for all recipients is sent
+# setting, this is practical only when mail for all recipients is sent
 # to a central mail hub.
 relayhost = [mailhub.example.com]
 smtp_tls_security_level = fingerprint
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_mandatory_protocols = >=TLSv1.2
 smtp_tls_mandatory_ciphers = high
 smtp_tls_fingerprint_cert_match =
-    3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
-    EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+    3D:95:34:51:...:40:99:C0:C1
+    EC:3B:2D:B0:...:A3:9D:72:F6
 .fi
 .ad
 .ft R
@@ -12280,80 +12327,147 @@ works in addition to the exclusions listed with smtpd_tls_exclude_ciphers
 (see there for syntax details).
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtpd_tls_mandatory_protocols (default: !SSLv2, !SSLv3)
-The SSL/TLS protocols accepted by the Postfix SMTP server with
-mandatory TLS encryption. If the list is empty, the server supports
-all available SSL/TLS protocol versions.  A non\-empty value is a
-list of protocol names separated by whitespace, commas or colons.
-The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and
-are not case sensitive. The default value is "!SSLv2, !SSLv3" for
-Postfix releases after the middle of 2015, "!SSLv2" for older
-releases.
+.SH smtpd_tls_mandatory_protocols (default: see "postconf \-d" output)
+TLS protocols accepted by the Postfix SMTP server with mandatory TLS
+encryption.  If the list is empty, the server supports all available TLS
+protocol versions.  A non\-empty value is a list of protocol names to
+include or exclude, separated by whitespace, commas or colons.
 .PP
-With Postfix >= 2.5 the parameter syntax was expanded to support
-protocol exclusions. One can explicitly exclude "SSLv2" by setting
-"smtpd_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
-"SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
-the protocols to include, rather than protocols to exclude, is
-supported, but not recommended. The exclusion form more closely
-matches the underlying OpenSSL interface semantics.
+The valid protocol names (see \fBSSL_get_version\fR(3)) are "SSLv2",
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
+Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as
+the lowest supported TLS protocol version (see below).  Older releases
+use the "!" exclusion syntax, also described below.
 .PP
-Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
-and "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1
-or later, these, or any other new protocol versions, cannot be
-disabled.  The latest patch levels of Postfix >= 2.6, and all
-versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
-"TLSv1.2".
+As of Postfix 3.6, the preferred way to limit the range of
+acceptable protocols is to set the lowest acceptable TLS protocol
+version and/or the highest acceptable TLS protocol version.  To set the
+lower bound include an element of the form: ">=\fIversion\fR" where
+\fIversion\fR is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "<=\fIversion\fR".  There must be no whitespace between
+the ">=" or "<=" symbols and the protocol name or number.
 .PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
->= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
-this can be disabled, if need be, via "!TLSv1.3".
+Hexadecimal protocol numbers make it possible to specify protocol
+bounds for TLS versions that are known to OpenSSL, but might not be
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version.
+.PP
+Hexadecimal example (Postfix >= 3.6):
+.sp
+.in +4
+.nf
+.na
+.ft C
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305
+# Allow only TLS 1.2 and up:
+smtpd_tls_mandatory_protocols = >=0x0303
+.fi
+.ad
+.ft R
+.in -4
+.PP
+With Postfix < 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "smtpd_tls_mandatory_protocols =
+!SSLv2, !SSLv3".  Listing the protocols to include, rather than
+protocols to exclude, is supported, but not recommended.  The exclusion
+form more accurately matches the underlying OpenSSL interface.
+.PP
+Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
 .PP
 Example:
 .PP
 .nf
 .na
 .ft C
-# Preferred syntax with Postfix >= 2.5:
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+# Preferred syntax with Postfix >= 3.6:
+smtpd_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
 # Legacy syntax:
-smtpd_tls_mandatory_protocols = TLSv1
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 .fi
 .ad
 .ft R
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtpd_tls_protocols (default: !SSLv2, !SSLv3)
-List of TLS protocols that the Postfix SMTP server will exclude
-or include with opportunistic TLS encryption. The default value is
-"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
-empty for older releases allowing all protocols to be
-used with opportunistic TLS.  A non\-empty value is a list of protocol
-names separated by whitespace, commas or colons.  The supported
-protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case
-sensitive.
+.SH smtpd_tls_protocols (default: see postconf \-d output)
+TLS protocols accepted by the Postfix SMTP server with opportunistic
+TLS encryption. If the list is empty, the server supports all available
+TLS protocol versions.  A non\-empty value is a list of protocol names to
+include or exclude, separated by whitespace, commas or colons.
 .PP
-Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
-and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
-versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
-"TLSv1.2".
+The valid protocol names (see \fBSSL_get_version\fR(3)) are "SSLv2",
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
+Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as
+the lowest supported TLS protocol version (see below).  Older releases
+use the "!" exclusion syntax, also described below.
 .PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
->= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
-this can be disabled, if need be, via "!TLSv1.3".
+As of Postfix 3.6, the preferred way to limit the range of
+acceptable protocols is to set the lowest acceptable TLS protocol
+version and/or the highest acceptable TLS protocol version.  To set the
+lower bound include an element of the form: ">=\fIversion\fR" where
+\fIversion\fR is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "<=\fIversion\fR".  There must be no whitespace between
+the ">=" or "<=" symbols and the protocol name or number.
 .PP
-To include a protocol list its name, to exclude it, prefix the name
-with a "!" character. To exclude SSLv2 for opportunistic TLS set
-"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
-"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, rather than protocols to exclude, is supported, but not
-recommended.  The exclusion form more closely matches the underlying
-OpenSSL interface semantics.
+Hexadecimal protocol numbers make it possible to specify protocol
+bounds for TLS versions that are known to OpenSSL, but might not be
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version.
+.PP
+Hexadecimal example (Postfix >= 3.6):
+.sp
+.in +4
+.nf
+.na
+.ft C
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtpd_tls_protocols = >=TLSv1, <=0305
+# Allow only TLS 1.0 and up:
+smtpd_tls_protocols = >=0x0301
+.fi
+.ad
+.ft R
+.in -4
+.PP
+With Postfix < 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "smtpd_tls_protocols = !SSLv2, !SSLv3".
+Listing the protocols to include, rather than protocols to exclude, is
+supported, but not recommended.  The exclusion form more accurately
+matches the underlying OpenSSL interface.
+.PP
+Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
 .PP
 Example:
 .nf
 .na
 .ft C
+# Preferred syntax with Postfix >= 3.6:
+smtpd_tls_protocols = >=TLSv1, <=TLSv1.3
+# Legacy syntax:
 smtpd_tls_protocols = !SSLv2, !SSLv3
 .fi
 .ad
@@ -12845,7 +12959,7 @@ bug work\-arounds to disable.
 If the value of the parameter is a hexadecimal long integer starting
 with "0x", the bug work\-arounds corresponding to the bits specified in
 its value are removed from the \fBSSL_OP_ALL\fR work\-around bit\-mask
-(see openssl/ssl.h and SSL_CTX_\fBset_options\fR(3)). You can specify more
+(see openssl/ssl.h and \fBSSL_CTX_set_options\fR(3)). You can specify more
 bits than are present in SSL_OP_ALL, excess bits are ignored. Specifying
 0xFFFFFFFF disables all bug\-workarounds on a 32\-bit system. This should
 also be sufficient on 64\-bit systems, until OpenSSL abandons support
@@ -12863,17 +12977,17 @@ OpenSSL 1.0.0.
 .br
 .IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fR"
 See
-SSL_CTX_\fBset_options\fR(3)
+\fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBLEGACY_SERVER_CONNECT\fR"
-See SSL_CTX_\fBset_options\fR(3)
+See \fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBMICROSOFT_BIG_SSLV3_BUFFER\fR"
 See
-SSL_CTX_\fBset_options\fR(3)
+\fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBMICROSOFT_SESS_ID_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+See \fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBMSIE_SSLV2_RSA_PADDING\fR"
 also aliased as
@@ -12882,7 +12996,7 @@ default with OpenSSL versions that may predate the fix. Fixed in
 OpenSSL 0.9.7h and OpenSSL 0.9.8a.
 .br
 .IP "\fBNETSCAPE_CHALLENGE_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+See \fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR"
 also aliased
@@ -12892,25 +13006,25 @@ OpenSSL 0.9.8q and OpenSSL 1.0.0c.
 .br
 .IP "\fBSSLEAY_080_CLIENT_DH_BUG\fR"
 See
-SSL_CTX_\fBset_options\fR(3)
+\fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fR"
 See
-SSL_CTX_\fBset_options\fR(3)
+\fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBTLS_BLOCK_PADDING_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+See \fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBTLS_D5_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+See \fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBTLS_ROLLBACK_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3).
+See \fBSSL_CTX_set_options\fR(3).
 This is disabled in OpenSSL 0.9.7 and later. Nobody should still
 be using 0.9.6!
 .br
 .IP "\fBTLSEXT_PADDING\fR"
-Postfix >= 3.4. See SSL_CTX_\fBset_options\fR(3).
+Postfix >= 3.4. See \fBSSL_CTX_set_options\fR(3).
 .br
 .br
 .PP
@@ -13291,7 +13405,7 @@ solution.
 .PP
 If the value of the parameter is a hexadecimal long integer
 starting with "0x", the options corresponding to the bits specified
-in its value are enabled (see openssl/ssl.h and SSL_CTX_\fBset_options\fR(3)).
+in its value are enabled (see openssl/ssl.h and \fBSSL_CTX_set_options\fR(3)).
 You can only enable options not already controlled by other Postfix
 settings.  For example, you cannot disable protocols or enable
 server cipher preference.  Do not attempt to turn all features by
@@ -13301,16 +13415,16 @@ if/when they're no longer enabled by default.  The supported values
 include:
 .IP "\fBENABLE_MIDDLEBOX_COMPAT\fR"
 Postfix >= 3.4. See
-SSL_CTX_\fBset_options\fR(3).
+\fBSSL_CTX_set_options\fR(3).
 .br
 .IP "\fBLEGACY_SERVER_CONNECT\fR"
-See SSL_CTX_\fBset_options\fR(3).
+See \fBSSL_CTX_set_options\fR(3).
 .br
 .IP "\fBNO_TICKET\fR"
 Enabled by default when needed in
 fully\-patched Postfix >= 2.7.  Not needed at all for Postfix >=
 2.11, unless for some reason you do not want to support TLS session
-resumption.  Best not set explicitly.  See SSL_CTX_\fBset_options\fR(3).
+resumption.  Best not set explicitly.  See \fBSSL_CTX_set_options\fR(3).
 .br
 .IP "\fBNO_COMPRESSION\fR"
 Disable SSL compression even if
@@ -13320,14 +13434,14 @@ and compression before encryption does not always improve security.
 .IP "\fBNO_RENEGOTIATION\fR"
 Postfix >= 3.4.  This can
 reduce opportunities for a potential CPU exhaustion attack.  See
-SSL_CTX_\fBset_options\fR(3).
+\fBSSL_CTX_set_options\fR(3).
 .br
 .IP "\fBNO_SESSION_RESUMPTION_ON_RENEGOTIATION\fR"
 Postfix
->= 3.4. See SSL_CTX_\fBset_options\fR(3).
+>= 3.4. See \fBSSL_CTX_set_options\fR(3).
 .br
 .IP "\fBPRIORITIZE_CHACHA\fR"
-Postfix >= 3.4. See SSL_CTX_\fBset_options\fR(3).
+Postfix >= 3.4. See \fBSSL_CTX_set_options\fR(3).
 .br
 .br
 .PP
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index 697f0f653..6f72db307 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -482,9 +482,9 @@ when TLS is not already enabled for that server.
 Optional lookup tables with the Postfix SMTP client TLS security
 policy by next\-hop destination; when a non\-empty value is specified,
 this overrides the obsolete smtp_tls_per_site parameter.
-.IP "\fBsmtp_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR"
-List of SSL/TLS protocols that the Postfix SMTP client will use with
-mandatory TLS encryption.
+.IP "\fBsmtp_tls_mandatory_protocols (see 'postconf -d' output)\fR"
+TLS protocols that the Postfix SMTP client will use with mandatory
+TLS encryption.
 .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
 The verification depth for remote SMTP server certificates.
 .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot\-nexthop)\fR"
@@ -532,9 +532,9 @@ The message digest algorithm used to construct remote SMTP server
 certificate fingerprints.
 .PP
 Available in Postfix version 2.6 and later:
-.IP "\fBsmtp_tls_protocols (!SSLv2, !SSLv3)\fR"
-List of TLS protocols that the Postfix SMTP client will exclude or
-include with opportunistic TLS encryption.
+.IP "\fBsmtp_tls_protocols (see postconf -d output)\fR"
+TLS protocols that the Postfix SMTP client will use with
+opportunistic TLS encryption.
 .IP "\fBsmtp_tls_ciphers (medium)\fR"
 The minimum TLS cipher grade that the Postfix SMTP client
 will use with opportunistic TLS encryption.
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index b646af00e..868621847 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -439,9 +439,9 @@ use with mandatory TLS encryption.
 .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
 Additional list of ciphers or cipher types to exclude from the
 Postfix SMTP server cipher list at mandatory TLS security levels.
-.IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR"
-The SSL/TLS protocols accepted by the Postfix SMTP server with
-mandatory TLS encryption.
+.IP "\fBsmtpd_tls_mandatory_protocols (see 'postconf -d' output)\fR"
+TLS protocols accepted by the Postfix SMTP server with mandatory TLS
+encryption.
 .IP "\fBsmtpd_tls_received_header (no)\fR"
 Request that the Postfix SMTP server produces Received:  message
 headers that include information about the protocol and cipher used,
@@ -476,9 +476,9 @@ fingerprints or public key fingerprints (Postfix 2.9 and later) for
 \fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR.
 .PP
 Available in Postfix version 2.6 and later:
-.IP "\fBsmtpd_tls_protocols (!SSLv2, !SSLv3)\fR"
-List of TLS protocols that the Postfix SMTP server will exclude
-or include with opportunistic TLS encryption.
+.IP "\fBsmtpd_tls_protocols (see postconf -d output)\fR"
+TLS protocols accepted by the Postfix SMTP server with opportunistic
+TLS encryption.
 .IP "\fBsmtpd_tls_ciphers (medium)\fR"
 The minimum TLS cipher grade that the Postfix SMTP server
 will use with opportunistic TLS encryption.
diff --git a/postfix/mantools/postconf2man b/postfix/mantools/postconf2man
index c9aff6d89..f4bc6fa6f 100755
--- a/postfix/mantools/postconf2man
+++ b/postfix/mantools/postconf2man
@@ -88,7 +88,7 @@ while(<>) {
     $block =~ s/\s+\n/\n/g;
     $block =~ s/^\n//g;
     $block =~ s/\s*<\s*nroffescape\s+([^ >]+)\s*>\s*/\n\1\n/g;
-    $block =~ s/([a-z][_a-zA-Z0-9-]*)(\([0-9]\))/\\fB\1\\fR\2/g;
+    $block =~ s/([A-Za-z][_a-zA-Z0-9-]*)(\([0-9]\))/\\fB\1\\fR\2/g;
     print $block;
     $wantpp = !($block =~ /^\.(SH|IP)/);
 }
diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index 79732e904..6acde1fed 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -179,10 +179,10 @@ configurations will not accidentally enable TLS without certificates.  

 
 
 Note that server certificates are not optional in TLS 1.3. To
 run without certificates you'd have to disable the TLS 1.3 protocol by
-including '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also
-"smtpd_tls_mandatory_protocols".  It is simpler instead to just
-configure a certificate chain.  Certificate-less operation is not
-recommended. 

+including "<=TLSv1.2" (or, for Postfix < 3.6, "!TLSv1.3") in
+"smtpd_tls_protocols" and perhaps also "smtpd_tls_mandatory_protocols".
+It is simpler instead to just configure a certificate chain.
+Certificate-less operation is not recommended. 

 
 
 RSA, DSA and ECDSA (Postfix ≥ 2.6) certificates are supported.
 Most sites only have RSA certificates.  You can configure all three
@@ -891,7 +891,7 @@ after the middle of 2015; older releases only disable SSLv2 for
 mandatory TLS. The mandatory TLS protocol list is specified via the
 smtpd_tls_mandatory_protocols configuration parameter.  The
 smtpd_tls_protocols parameter (Postfix ≥ 2.6)
-controls the SSL/TLS protocols used with opportunistic TLS. 

+controls the TLS protocols used with opportunistic TLS. 

 
 
 Note that the OpenSSL library only supports protocol exclusion
 (not inclusion). For this reason, Postfix can exclude only protocols
@@ -909,8 +909,8 @@ that TLSv1.3 be explicitly disabled. Therefore, they are not
 recommended, it is better and simpler to just configure a suitable
 certificate. 

 
-
 Example, MSA that requires TLSv1 or higher, not SSLv2 or SSLv3,
-with high grade ciphers: 

+
 Example, MSA that requires TLSv1.2 or higher, with high grade
+ciphers: 

 
 

 
@@ -920,10 +920,10 @@ with high grade ciphers: 

     smtpd_tls_mandatory_ciphers = high
     smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
     smtpd_tls_security_level = encrypt
-    # Preferred syntax with Postfix ≥ 2.5:
-    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+    # Preferred syntax with Postfix ≥ 3.6:
+    smtpd_tls_mandatory_protocols = >=TLSv1.2
     # Legacy syntax:
-    smtpd_tls_mandatory_protocols = TLSv1
+    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 

 

 
@@ -1263,9 +1263,10 @@ just in case the transport table entries are not specified consistently. 

     submission      587/tcp         msa             # mail message submission
 
 /etc/postfix/tls_policy:
-    [example.net]:587 encrypt protocols=TLSv1 ciphers=high
-    [example.net]:msa encrypt protocols=TLSv1 ciphers=high
-    [example.net]:submission encrypt protocols=TLSv1 ciphers=high
+    # Postfix ≥ 3.6 "protocols" syntax
+    [example.net]:587 encrypt protocols=>=TLSv1.2 ciphers=high
+    # Legacy "protocols" syntax
+    [example.net]:msa encrypt protocols=!SSLv2:!SSLv3 ciphers=high
@@ -2398,8 +2399,10 @@ Example: [thumb.example.org] fingerprint match=b6:b4:72:34:e2:59:cd:fb:...:0d:4d:cc:2c:7d:84:de:e6:2f match=51:e9:af:2e:1e:40:1f:de:...:35:2d:09:16:31:5a:eb:82:76 - # Postfix 2.6 and later - example.info may protocols=!SSLv2 ciphers=medium exclude=3DES + # Postfix ≥ 3.6 "protocols" syntax + example.info may protocols=>=TLSv1 ciphers=medium exclude=3DES + # Legacy protocols syntax + example.info may protocols=!SSLv2:!SSLv3 ciphers=medium exclude=3DES @@ -2494,7 +2497,7 @@ SMTP client will by default disable SSLv2 and SSLv3. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls -the SSL/TLS protocols used with opportunistic TLS.

+the TLS protocols used with opportunistic TLS.

Example:

@@ -2504,13 +2507,13 @@ the SSL/TLS protocols used with opportunistic TLS.

smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL - # Preferred form with Postfix ≥ 2.5: - smtp_tls_mandatory_protocols = !SSLv2 - # Legacy form for Postfix < 2.5: - smtp_tls_mandatory_protocols = SSLv3, TLSv1 - # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = medium - smtp_tls_protocols = !SSLv2 + # Preferred form with Postfix ≥ 3.6: + smtp_tls_mandatory_protocols = >=TLSv1.2 + smtp_tls_protocols = >=TLSv1 + # Legacy form for Postfix < 3.6: + smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 + smtp_tls_protocols = !SSLv2,!SSLv3 diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index bf814ce5f..7d9accaf2 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -11299,74 +11299,92 @@ configurations in environments where DNS security is not assured.

This feature is available in Postfix 2.3 and later.

-%PARAM smtp_tls_mandatory_protocols !SSLv2, !SSLv3 +%PARAM smtp_tls_mandatory_protocols see "postconf -d" output -

List of SSL/TLS protocols that the Postfix SMTP client will use with -mandatory TLS encryption. In main.cf the values are separated by -whitespace, commas or colons. In the policy table "protocols" attribute -(see smtp_tls_policy_maps) the only valid separator is colon. An -empty value means allow all protocols. The valid protocol names, (see -SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". The -default value is "!SSLv2, !SSLv3" for Postfix releases after the -middle of 2015, "!SSLv2" for older releases.

+

TLS protocols that the Postfix SMTP client will use with mandatory +TLS encryption. In main.cf the values are separated by whitespace, +commas or colons. In the policy table "protocols" attribute (see +smtp_tls_policy_maps) the only valid separator is colon. An empty value +means allow all protocols.

-

With Postfix ≥ 2.5 the parameter syntax was expanded to support -protocol exclusions. One can explicitly exclude "SSLv2" by setting -"smtp_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and -"SSLv3" set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing -the protocols to include, rather than protocols to exclude, is -supported, but not recommended. The exclusion form more closely -matches the underlying OpenSSL interface semantics. -

+

The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

-

The range of protocols advertised by an SSL/TLS client must be -contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher version. -Thus, for example (assuming the OpenSSL library supports both SSLv2 -and SSLv3): -

+

As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set a lowest acceptable TLS protocol version +and/or a highest acceptable TLS protocol version. To set the lower +bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

+ +

Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

+ +

Hexadecimal example (Postfix ≥ 3.6):

-smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305
+# Allow only TLS 1.2 and up:
+smtp_tls_mandatory_protocols = >=0x0303
-

also disables any protocols version higher than TLSv1 leaving -only "SSLv3" enabled.

-

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" -and "TLSv1.2". When Postfix ≤ 2.5 is linked against OpenSSL 1.0.1 -or later, these, or any other new protocol versions, cannot be -disabled except by also disabling "TLSv1" (typically leaving just -"SSLv3"). The latest patch levels of Postfix ≥ 2.6, and all -versions of Postfix ≥ 2.10 can explicitly disable support for -"TLSv1.1" or "TLSv1.2".

+

With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtp_tls_mandatory_protocols = !SSLv2, +!SSLv3". Listing the protocols to include, rather than protocols to +exclude, is supported, but not recommended. The exclusion syntax more +accurately matches the underlying OpenSSL interface.

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) -this can be disabled, if need be, via "!TLSv1.3".

+

When using the exclusion syntax, take care to ensure that the range +of protocols supported by the Postfix SMTP client is contiguous. When +a protocol version is enabled, disabling any higher version implicitly +disables all versions above that higher version. Thus, for example:

-

At the dane and -dane-only security -levels, when usable TLSA records are obtained for the remote SMTP -server, the Postfix SMTP client is obligated to include the SNI TLS -extension in its SSL client hello message. This may help the remote -SMTP server live up to its promise to provide a certificate that -matches its TLSA records. Since TLS extensions require TLS 1.0 or -later, the Postfix SMTP client must disable "SSLv2" and "SSLv3" when -SNI is required. If you use "dane" or "dane-only" do not disable -TLSv1, except perhaps via the policy table for destinations which -you are sure will support "TLSv1.1" or "TLSv1.2".

+
+
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
+
+
+ +

also disables any protocols version higher than TLSv1.1 leaving +only "TLSv1" enabled.

+ +

Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

+ +

While the vast majority of SMTP servers with DANE TLSA records now +support at least TLS 1.2, a few still only support TLS 1.0. If you use +"dane" or "dane-only" it is best to not disable TLSv1, except perhaps +via the policy table for destinations which you are sure will support +"TLSv1.2".

See the documentation of the smtp_tls_policy_maps parameter and TLS_README for more information about security levels.

Example:

- 
-# Preferred syntax with Postfix ≥ 2.5:
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+# Preferred syntax with Postfix ≥ 3.6:
+smtp_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
 # Legacy syntax:
-smtp_tls_mandatory_protocols = TLSv1
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

This feature is available in Postfix 2.3 and later.

@@ -11495,7 +11513,7 @@ configuration parameter. See there for details.

This feature is available in Postfix 2.3 and later.

-%PARAM lmtp_tls_mandatory_protocols !SSLv2, !SSLv3 +%PARAM lmtp_tls_mandatory_protocols see postconf -d output

The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.

@@ -11516,43 +11534,69 @@ configuration parameter. See there for details.

This feature is available in Postfix 2.3 and later.

-%PARAM smtpd_tls_mandatory_protocols !SSLv2, !SSLv3 +%PARAM smtpd_tls_mandatory_protocols see "postconf -d" output -

The SSL/TLS protocols accepted by the Postfix SMTP server with -mandatory TLS encryption. If the list is empty, the server supports -all available SSL/TLS protocol versions. A non-empty value is a -list of protocol names separated by whitespace, commas or colons. -The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and -are not case sensitive. The default value is "!SSLv2, !SSLv3" for -Postfix releases after the middle of 2015, "!SSLv2" for older -releases.

+

TLS protocols accepted by the Postfix SMTP server with mandatory TLS +encryption. If the list is empty, the server supports all available TLS +protocol versions. A non-empty value is a list of protocol names to +include or exclude, separated by whitespace, commas or colons.

-

With Postfix ≥ 2.5 the parameter syntax was expanded to support -protocol exclusions. One can explicitly exclude "SSLv2" by setting -"smtpd_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and -"SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing -the protocols to include, rather than protocols to exclude, is -supported, but not recommended. The exclusion form more closely -matches the underlying OpenSSL interface semantics.

+

The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

-

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" -and "TLSv1.2". When Postfix ≤ 2.5 is linked against OpenSSL 1.0.1 -or later, these, or any other new protocol versions, cannot be -disabled. The latest patch levels of Postfix ≥ 2.6, and all -versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or -"TLSv1.2".

+

As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set the lowest acceptable TLS protocol +version and/or the highest acceptable TLS protocol version. To set the +lower bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) -this can be disabled, if need be, via "!TLSv1.3".

+

Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

+ +

Hexadecimal example (Postfix ≥ 3.6):

+
+
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305
+# Allow only TLS 1.2 and up:
+smtpd_tls_mandatory_protocols = >=0x0303
+
+
+ +

With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtpd_tls_mandatory_protocols = +!SSLv2, !SSLv3". Listing the protocols to include, rather than +protocols to exclude, is supported, but not recommended. The exclusion +form more accurately matches the underlying OpenSSL interface.

+ +

Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

Example: 

-# Preferred syntax with Postfix ≥ 2.5:
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+# Preferred syntax with Postfix ≥ 3.6:
+smtpd_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
 # Legacy syntax:
-smtpd_tls_mandatory_protocols = TLSv1
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

This feature is available in Postfix 2.3 and later.

@@ -11674,12 +11718,13 @@ smtp_tls_security_level = none 
 # Opportunistic TLS.
 smtp_tls_security_level = may
-# Postfix ≥ 2.6:
 # Do not tweak opportunistic ciphers or protocol unless it is essential
 # to do so (if a security vulnerability is found in the SSL library that
 # can be mitigated by disabling a particular protocol or raising the
-# cipher grade from "export" to "low" or "medium").
-smtp_tls_ciphers = export
+# cipher grade).
+smtp_tls_ciphers = medium
+smtp_tls_protocols = >=TLSv1
+# Legacy (Postfix < 3.6) syntax:
 smtp_tls_protocols = !SSLv2, !SSLv3
@@ -11690,33 +11735,27 @@ smtp_tls_mandatory_ciphers = high 
-# Mandatory TLS verification of hostname or nexthop domain.
-smtp_tls_security_level = verify
-smtp_tls_mandatory_ciphers = high
-smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
-
- -
-# Secure channel TLS with exact nexthop name match.
+# Authenticated TLS 1.2 or better matching the nexthop domain or a
+# subdomain.
 smtp_tls_security_level = secure
-smtp_tls_mandatory_protocols = TLSv1
 smtp_tls_mandatory_ciphers = high
-smtp_tls_secure_cert_match = nexthop
+smtp_tls_mandatory_protocols = >=TLSv1.2
+smtp_tls_secure_cert_match = nexthop, dot-nexthop
 
 # Certificate fingerprint verification (Postfix ≥ 2.5).
 # The CA-less "fingerprint" security level only scales to a limited
 # number of destinations. As a global default rather than a per-site
-# setting, this is practical when mail for all recipients is sent
+# setting, this is practical only when mail for all recipients is sent
 # to a central mail hub.
 relayhost = [mailhub.example.com]
 smtp_tls_security_level = fingerprint
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_mandatory_protocols = >=TLSv1.2
 smtp_tls_mandatory_ciphers = high
 smtp_tls_fingerprint_cert_match = 
-    3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
-    EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+    3D:95:34:51:...:40:99:C0:C1
+    EC:3B:2D:B0:...:A3:9D:72:F6

This feature is available in Postfix 2.3 and later.

@@ -12640,95 +12679,153 @@ the hostname and IP address. The logging format is "host[address]:port".

This feature is available in Postfix 2.5 and later.

-%PARAM smtp_tls_protocols !SSLv2, !SSLv3 +%PARAM smtp_tls_protocols see postconf -d output -

List of TLS protocols that the Postfix SMTP client will exclude or -include with opportunistic TLS encryption. The default value is -"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015, -"!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP -client would use all protocols with opportunistic TLS.

+

TLS protocols that the Postfix SMTP client will use with +opportunistic TLS encryption. In main.cf the values are separated by +whitespace, commas or colons. In the policy table "protocols" attribute +(see smtp_tls_policy_maps) the only valid separator is colon. An empty +value means allow all protocols.

-

In main.cf the values are separated by whitespace, commas or -colons. In the policy table (see smtp_tls_policy_maps) the only valid -separator is colon. An empty value means allow all protocols. The valid -protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" -and "TLSv1".

+

The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

-

The range of protocols advertised by an SSL/TLS client must be -contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher version. -Thus, for example (assuming the OpenSSL library supports both SSLv2 -and SSLv3): +

As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set the lowest acceptable TLS protocol +version and/or the highest acceptable TLS protocol version. To set the +lower bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

+ +

Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

+ +

Hexadecimal example (Postfix ≥ 3.6):

+
+
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtp_tls_protocols = >=TLSv1, <=0305
+# Allow only TLS 1.0 and up:
+smtp_tls_protocols = >=0x0301
+
+
+ +

With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtp_tls_protocols = !SSLv2, !SSLv3". +Listing the protocols to include, rather than protocols to exclude, is +supported, but not recommended. The exclusion form more accurately +matches the underlying OpenSSL interface.

+ +

When using the exclusion syntax, take care to ensure that the range of +protocols advertised by an SSL/TLS client is contiguous. When a protocol +version is enabled, disabling any higher version implicitly disables all +versions above that higher version. Thus, for example: 

-smtp_tls_protocols = !SSLv2, !TLSv1
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1
-

also disables any protocols version higher than TLSv1 leaving -only "SSLv3" enabled.

+

also disables any protocols version higher than TLSv1.1 leaving +only "TLSv1" enabled.

-

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" -and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all -versions of Postfix ≥ 2.10 can explicitly disable support for -"TLSv1.1" or "TLSv1.2"

- -

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) -this can be disabled, if need be, via "!TLSv1.3".

- -

To include a protocol list its name, to exclude it, prefix the name -with a "!" character. To exclude SSLv2 for opportunistic TLS set -"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set -"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to -include, rather than protocols to exclude, is supported, but not -recommended. The exclusion form more closely matches the underlying -OpenSSL interface semantics.

+

Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

Example: 

-# TLSv1 or better:
+# Preferred syntax with Postfix ≥ 3.6:
+smtp_tls_protocols = >=TLSv1, <=TLSv1.3
+# Legacy syntax:
 smtp_tls_protocols = !SSLv2, !SSLv3

This feature is available in Postfix 2.6 and later.

-%PARAM smtpd_tls_protocols !SSLv2, !SSLv3 +%PARAM smtpd_tls_protocols see postconf -d output -

List of TLS protocols that the Postfix SMTP server will exclude -or include with opportunistic TLS encryption. The default value is -"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015, -empty for older releases allowing all protocols to be -used with opportunistic TLS. A non-empty value is a list of protocol -names separated by whitespace, commas or colons. The supported -protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case -sensitive.

+

TLS protocols accepted by the Postfix SMTP server with opportunistic +TLS encryption. If the list is empty, the server supports all available +TLS protocol versions. A non-empty value is a list of protocol names to +include or exclude, separated by whitespace, commas or colons.

-

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" -and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all -versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or -"TLSv1.2".

+

The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) -this can be disabled, if need be, via "!TLSv1.3".

+

As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set the lowest acceptable TLS protocol +version and/or the highest acceptable TLS protocol version. To set the +lower bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

-

To include a protocol list its name, to exclude it, prefix the name -with a "!" character. To exclude SSLv2 for opportunistic TLS set -"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set -"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to -include, rather than protocols to exclude, is supported, but not -recommended. The exclusion form more closely matches the underlying -OpenSSL interface semantics.

+

Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

+ +

Hexadecimal example (Postfix ≥ 3.6):

+
+
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtpd_tls_protocols = >=TLSv1, <=0305
+# Allow only TLS 1.0 and up:
+smtpd_tls_protocols = >=0x0301
+
+
+ +

With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtpd_tls_protocols = !SSLv2, !SSLv3". +Listing the protocols to include, rather than protocols to exclude, is +supported, but not recommended. The exclusion form more accurately +matches the underlying OpenSSL interface.

+ +

Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

Example: 

+# Preferred syntax with Postfix ≥ 3.6:
+smtpd_tls_protocols = >=TLSv1, <=TLSv1.3
+# Legacy syntax:
 smtpd_tls_protocols = !SSLv2, !SSLv3

This feature is available in Postfix 2.6 and later.

-%PARAM lmtp_tls_protocols !SSLv2, !SSLv3 +%PARAM lmtp_tls_protocols see postconf -d output

The LMTP-specific version of the smtp_tls_protocols configuration parameter. See there for details.

@@ -12874,7 +12971,7 @@ EC algorithms have not been disabled by the vendor.

The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of -this parameter is always ignored, and Postfix behaves as though th +this parameter is always ignored, and Postfix behaves as though the auto value (described below) was chosen.

diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 65906f187..21e2fd981 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1336,11 +1336,11 @@ extern char *var_smtpd_tls_CAfile; extern char *var_smtpd_tls_CApath; #define VAR_SMTPD_TLS_PROTO "smtpd_tls_protocols" -#define DEF_SMTPD_TLS_PROTO "!SSLv2, !SSLv3" +#define DEF_SMTPD_TLS_PROTO ">=TLSv1" extern char *var_smtpd_tls_proto; #define VAR_SMTPD_TLS_MAND_PROTO "smtpd_tls_mandatory_protocols" -#define DEF_SMTPD_TLS_MAND_PROTO "!SSLv2, !SSLv3" +#define DEF_SMTPD_TLS_MAND_PROTO ">=TLSv1" extern char *var_smtpd_tls_mand_proto; #define VAR_SMTPD_TLS_CIPH "smtpd_tls_ciphers" @@ -1571,15 +1571,15 @@ extern int var_lmtp_tls_scache_timeout; extern char *var_smtp_tls_policy; #define VAR_SMTP_TLS_PROTO "smtp_tls_protocols" -#define DEF_SMTP_TLS_PROTO "!SSLv2, !SSLv3" +#define DEF_SMTP_TLS_PROTO ">=TLSv1" #define VAR_LMTP_TLS_PROTO "lmtp_tls_protocols" -#define DEF_LMTP_TLS_PROTO "!SSLv2, !SSLv3" +#define DEF_LMTP_TLS_PROTO ">=TLSv1" extern char *var_smtp_tls_proto; #define VAR_SMTP_TLS_MAND_PROTO "smtp_tls_mandatory_protocols" -#define DEF_SMTP_TLS_MAND_PROTO "!SSLv2, !SSLv3" +#define DEF_SMTP_TLS_MAND_PROTO ">=TLSv1" #define VAR_LMTP_TLS_MAND_PROTO "lmtp_tls_mandatory_protocols" -#define DEF_LMTP_TLS_MAND_PROTO "!SSLv2, !SSLv3" +#define DEF_LMTP_TLS_MAND_PROTO ">=TLSv1" extern char *var_smtp_tls_mand_proto; #define VAR_SMTP_TLS_VFY_CMATCH "smtp_tls_verify_cert_match" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 5fc6402a3..b5d6870c5 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200720" +#define MAIL_RELEASE_DATE "20200725" #define MAIL_VERSION_NUMBER "3.6" #ifdef SNAPSHOT diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c index aa859cb28..c8d4cc46b 100644 --- a/postfix/src/posttls-finger/posttls-finger.c +++ b/postfix/src/posttls-finger/posttls-finger.c @@ -224,8 +224,8 @@ /* parameter \fIname\fR with \fIvalue\fR. Possible use-cases include /* overriding the values of TLS library parameters, or "myhostname" to /* configure the SMTP EHLO name sent to the remote server. -/* .IP "\fB-p \fIprotocols\fR (default: !SSLv2)" -/* List of TLS protocols that posttls-finger will exclude or include. See +/* .IP "\fB-p \fIprotocols\fR (default: >=TLSv1)" +/* TLS protocols that posttls-finger will exclude or include. See /* smtp_tls_mandatory_protocols for details. /* .IP "\fB-P \fICApath/\fR (default: none)" /* The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote @@ -1806,7 +1806,7 @@ static void parse_options(STATE *state, int argc, char *argv[]) state->max_reconnect = 5; state->wrapper_mode = 0; #ifdef USE_TLS - state->protocols = mystrdup("!SSLv2"); + state->protocols = mystrdup(">=TLSv1"); state->grade = mystrdup("medium"); #endif memset((void *) &state->options, 0, sizeof(state->options)); diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 906ef9f25..ecab89f8d 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -448,9 +448,9 @@ /* Optional lookup tables with the Postfix SMTP client TLS security /* policy by next-hop destination; when a non-empty value is specified, /* this overrides the obsolete smtp_tls_per_site parameter. -/* .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR" -/* List of SSL/TLS protocols that the Postfix SMTP client will use with -/* mandatory TLS encryption. +/* .IP "\fBsmtp_tls_mandatory_protocols (see 'postconf -d' output)\fR" +/* TLS protocols that the Postfix SMTP client will use with mandatory +/* TLS encryption. /* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR" /* The verification depth for remote SMTP server certificates. /* .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR" @@ -498,9 +498,9 @@ /* certificate fingerprints. /* .PP /* Available in Postfix version 2.6 and later: -/* .IP "\fBsmtp_tls_protocols (!SSLv2, !SSLv3)\fR" -/* List of TLS protocols that the Postfix SMTP client will exclude or -/* include with opportunistic TLS encryption. +/* .IP "\fBsmtp_tls_protocols (see postconf -d output)\fR" +/* TLS protocols that the Postfix SMTP client will use with +/* opportunistic TLS encryption. /* .IP "\fBsmtp_tls_ciphers (medium)\fR" /* The minimum TLS cipher grade that the Postfix SMTP client /* will use with opportunistic TLS encryption. diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 4f3e52a20..943e40e9d 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -405,9 +405,9 @@ /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" /* Additional list of ciphers or cipher types to exclude from the /* Postfix SMTP server cipher list at mandatory TLS security levels. -/* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR" -/* The SSL/TLS protocols accepted by the Postfix SMTP server with -/* mandatory TLS encryption. +/* .IP "\fBsmtpd_tls_mandatory_protocols (see 'postconf -d' output)\fR" +/* TLS protocols accepted by the Postfix SMTP server with mandatory TLS +/* encryption. /* .IP "\fBsmtpd_tls_received_header (no)\fR" /* Request that the Postfix SMTP server produces Received: message /* headers that include information about the protocol and cipher used, @@ -442,9 +442,9 @@ /* \fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR. /* .PP /* Available in Postfix version 2.6 and later: -/* .IP "\fBsmtpd_tls_protocols (!SSLv2, !SSLv3)\fR" -/* List of TLS protocols that the Postfix SMTP server will exclude -/* or include with opportunistic TLS encryption. +/* .IP "\fBsmtpd_tls_protocols (see postconf -d output)\fR" +/* TLS protocols accepted by the Postfix SMTP server with opportunistic +/* TLS encryption. /* .IP "\fBsmtpd_tls_ciphers (medium)\fR" /* The minimum TLS cipher grade that the Postfix SMTP server /* will use with opportunistic TLS encryption. diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index 439f805c6..2fdc90ae9 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -385,7 +385,7 @@ extern void tls_param_init(void); #define TLS_SSL_OP_MANAGED_BITS \ (SSL_OP_CIPHER_SERVER_PREFERENCE | TLS_SSL_OP_PROTOMASK(~0)) -extern int tls_protocol_mask(const char *); +extern int tls_proto_mask_lims(const char *, int *, int *); /* * Cipher grade selection. @@ -631,7 +631,7 @@ extern char *tls_digest_encode(const unsigned char *, int); extern char *tls_cert_fprint(X509 *, const char *); extern char *tls_pkey_fprint(X509 *, const char *); extern char *tls_serverid_digest(TLS_SESS_STATE *, - const TLS_CLIENT_START_PROPS *, long, const char *); + const TLS_CLIENT_START_PROPS *, const char *); /* * tls_certkey.c diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 00e02dc22..2c4a0e4cd 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -865,6 +865,8 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) { int sts; int protomask; + int min_proto; + int max_proto; const char *cipher_list; SSL_SESSION *session = 0; TLS_SESS_STATE *TLScontext; @@ -888,7 +890,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) * Per-session protocol restrictions must be applied to the SSL connection, * as restrictions in the global context cannot be cleared. */ - protomask = tls_protocol_mask(props->protocols); + protomask = tls_proto_mask_lims(props->protocols, &min_proto, &max_proto); if (protomask == TLS_PROTOCOL_INVALID) { /* tls_protocol_mask() logs no warning. */ msg_warn("%s: Invalid TLS protocol list \"%s\": aborting TLS session", @@ -956,12 +958,24 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) tls_free_context(TLScontext); return (0); } +#define CARP_VERSION(which) do { \ + if (which##_proto != 0) \ + msg_warn("%s: error setting %simum TLS version to: 0x%04x", \ + TLScontext->namaddr, #which, which##_proto); \ + else \ + msg_warn("%s: error clearing %simum TLS version", \ + TLScontext->namaddr, #which); \ + } while (0) /* * Apply session protocol restrictions. */ if (protomask != 0) SSL_set_options(TLScontext->con, TLS_SSL_OP_PROTOMASK(protomask)); + if (!SSL_set_min_proto_version(TLScontext->con, min_proto)) + CARP_VERSION(min); + if (!SSL_set_max_proto_version(TLScontext->con, max_proto)) + CARP_VERSION(max); /* * When applicable, configure DNS-based or synthetic (fingerprint or @@ -1038,7 +1052,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) * parameters and append it to the serverid. */ TLScontext->serverid = - tls_serverid_digest(TLScontext, props, protomask, cipher_list); + tls_serverid_digest(TLScontext, props, cipher_list); /* * When authenticating the peer, use 80-bit plus OpenSSL security level diff --git a/postfix/src/tls/tls_fprint.c b/postfix/src/tls/tls_fprint.c index 268349fd2..5c7a4efdd 100644 --- a/postfix/src/tls/tls_fprint.c +++ b/postfix/src/tls/tls_fprint.c @@ -6,10 +6,9 @@ /* SYNOPSIS /* #include /* -/* char *tls_serverid_digest(TLScontext, props, protomask, ciphers) +/* char *tls_serverid_digest(TLScontext, props, ciphers) /* TLS_SESS_STATE *TLScontext; /* const TLS_CLIENT_START_PROPS *props; -/* long protomask; /* const char *ciphers; /* /* char *tls_digest_encode(md_buf, md_len) @@ -187,7 +186,7 @@ static int tls_digest_tlsa(EVP_MD_CTX *mdctx, TLS_TLSA *tlsa) char *tls_serverid_digest(TLS_SESS_STATE *TLScontext, const TLS_CLIENT_START_PROPS *props, - long protomask, const char *ciphers) + const char *ciphers) { EVP_MD_CTX *mdctx; const EVP_MD *md; @@ -219,7 +218,7 @@ char *tls_serverid_digest(TLS_SESS_STATE *TLScontext, checkok(EVP_DigestInit_ex(mdctx, md, NULL)); digest_string(props->helo ? props->helo : ""); digest_object(&sslversion); - digest_object(&protomask); + digest_string(props->protocols); digest_string(ciphers); /* diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index ecb932898..190ae600e 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -69,8 +69,10 @@ /* /* void tls_param_init() /* -/* int tls_protocol_mask(plist) +/* int tls_proto_mask_lims(plist, floor, ceiling) /* const char *plist; +/* int *floor; +/* int *ceiling; /* /* int tls_cipher_grade(name) /* const char *name; @@ -157,10 +159,12 @@ /* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT /* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal. /* -/* tls_protocol_mask() returns a bitmask of excluded protocols, given -/* a list (plist) of protocols to include or (preceded by a '!') exclude. -/* If "plist" contains invalid protocol names, TLS_PROTOCOL_INVALID is -/* returned and no warning is logged. +/* tls_proto_mask_lims() returns a bitmask of excluded protocols, and +/* and the protocol version floor/ceiling, given a list (plist) of +/* protocols to include or (preceded by a '!') exclude, or constraints +/* of the form '>=name', '<=name', '>=hexvalue', '<=hexvalue'. If "plist" +/* contains invalid protocol names, TLS_PROTOCOL_INVALID is returned and +/* no warning is logged. /* /* tls_cipher_grade() converts a case-insensitive cipher grade /* name (high, medium, low, export, null) to the corresponding @@ -315,6 +319,19 @@ static const NAME_CODE protocol_table[] = { 0, TLS_PROTOCOL_INVALID, }; +/* + * Protocol name => numeric version, for MinProtocol and MaxProtocol + */ +static const NAME_CODE tls_version_table[] = { + "None", 0, + SSL_TXT_SSLV3, SSL3_VERSION, + SSL_TXT_TLSV1, TLS1_VERSION, + SSL_TXT_TLSV1_1, TLS1_1_VERSION, + SSL_TXT_TLSV1_2, TLS1_2_VERSION, + TLS_PROTOCOL_TXT_TLSV1_3, TLS1_3_VERSION, + 0, -1, +}; + /* * SSL_OP_MUMBLE bug work-around name <=> mask conversion. */ @@ -551,9 +568,32 @@ void tls_update_app_logmask(TLS_APPL_STATE *app_ctx, int log_mask) app_ctx->log_mask = log_mask; } -/* tls_protocol_mask - Bitmask of protocols to exclude */ +/* parse_version - parse TLS protocol version name or hex number */ -int tls_protocol_mask(const char *plist) +static int parse_tls_version(const char *tok, int *version) +{ + int code = name_code(tls_version_table, NAME_CODE_FLAG_NONE, tok); + char *_end; + unsigned long ulval; + + if (code != -1) { + *version = code; + return (0); + } + errno = 0; + ulval = strtoul(tok, &_end, 16); + if (*_end != 0 + || (ulval == ULONG_MAX && errno == ERANGE) + || ulval > INT_MAX) + return TLS_PROTOCOL_INVALID; + + *version = (int) ulval; + return (0); +} + +/* tls_proto_mask_lims - protocols to exclude and floor/ceiling */ + +int tls_proto_mask_lims(const char *plist, int *floor, int *ceiling) { char *save; char *tok; @@ -567,9 +607,15 @@ int tls_protocol_mask(const char *plist) return (res); \ } while (0) + *floor = *ceiling = 0; + save = cp = mystrdup(plist); while ((tok = mystrtok(&cp, CHARS_COMMA_SP ":")) != 0) { - if (*tok == '!') + if (strncmp(tok, ">=", 2) == 0) + code = parse_tls_version(tok + 2, floor); + else if (strncmp(tok, "<=", 2) == 0) + code = parse_tls_version(tok + 2, ceiling); + else if (*tok == '!') exclude |= code = name_code(protocol_table, NAME_CODE_FLAG_NONE, ++tok); else diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index bd3aca228..6162191d6 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -342,6 +342,8 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) int scache_timeout; int ticketable = 0; int protomask; + int min_proto; + int max_proto; TLS_APPL_STATE *app_ctx; int log_mask; @@ -366,7 +368,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) /* * First validate the protocols. If these are invalid, we can't continue. */ - protomask = tls_protocol_mask(props->protocols); + protomask = tls_proto_mask_lims(props->protocols, &min_proto, &max_proto); if (protomask == TLS_PROTOCOL_INVALID) { /* tls_protocol_mask() logs no warning. */ msg_warn("Invalid TLS protocol list \"%s\": disabling TLS support", @@ -514,6 +516,10 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) */ if (protomask != 0) SSL_CTX_set_options(server_ctx, TLS_SSL_OP_PROTOMASK(protomask)); + SSL_CTX_set_min_proto_version(server_ctx, min_proto); + SSL_CTX_set_max_proto_version(server_ctx, max_proto); + SSL_CTX_set_min_proto_version(sni_ctx, min_proto); + SSL_CTX_set_max_proto_version(sni_ctx, max_proto); /* * Some sites may want to give the client less rope. On the other hand,