postfix-3.6-20200725

postfix/HISTORY

@@ -25008,3 +25008,18 @@ Apologies for any names omitted.
 
 	Final cleanups of the peername matching code.  File:
 	tls/tls_client.c.
+
+202000725
+
+	Documentation of how to set the minimum and maximum allowed
+	TLS protocol versions (these override system-wide OpenSSL
+	configuration), some related code cleanups including better
+	warning messages. Viktor Dukhovni. Files: proto/TLS_README.html,
+	proto/postconf.proto, global/mail_params.h,
+	posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_client.c,
+	tls/tls_fprint.c, tls/tls_misc.c, tls/tls_server.c.
+ 
+	The Postfix TLS library did not override the system-wide
+	OpenSSL configuration of allowed TLS protocol versions, for
+	sessions where the remote SMTP client sends SNI. File:
+	tls/tls_server.c.

postfix/README_FILES/TLS_README

@@ -101,10 +101,10 @@ SMTP server configurations will not accidentally enable TLS without
 certificates.
 
 Note that server certificates are nnoott optional in TLS 1.3. To run without
-certificates you'd have to disable the TLS 1.3 protocol by including '!TLSv1.3'
+certificates you'd have to disable the TLS 1.3 protocol by including
-in "smtpd_tls_protocols" and perhaps also "smtpd_tls_mandatory_protocols". It
+"<=TLSv1.2" (or, for Postfix < 3.6, "!TLSv1.3") in "smtpd_tls_protocols" and
-is simpler instead to just configure a certificate chain. Certificate-less
+perhaps also "smtpd_tls_mandatory_protocols". It is simpler instead to just
-operation is not recommended.
+configure a certificate chain. Certificate-less operation is not recommended.
 
 RSA, DSA and ECDSA (Postfix >= 2.6) certificates are supported. Most sites only
 have RSA certificates. You can configure all three at the same time, in which
@@ -632,8 +632,8 @@ With mandatory and opportunistic TLS encryption, the Postfix SMTP server by
 default disables SSLv2 and SSLv3 with Postfix releases after the middle of
 2015; older releases only disable SSLv2 for mandatory TLS. The mandatory TLS
 protocol list is specified via the smtpd_tls_mandatory_protocols configuration
-parameter. The smtpd_tls_protocols parameter (Postfix >= 2.6) controls the SSL/
+parameter. The smtpd_tls_protocols parameter (Postfix >= 2.6) controls the TLS
-TLS protocols used with opportunistic TLS.
+protocols used with opportunistic TLS.
 
 Note that the OpenSSL library only supports protocol exclusion (not inclusion).
 For this reason, Postfix can exclude only protocols that are known at the time
@@ -649,8 +649,7 @@ configurations may not interoperate with some clients, and require that TLSv1.3
 be explicitly disabled. Therefore, they are not recommended, it is better and
 simpler to just configure a suitable certificate.
 
-Example, MSA that requires TLSv1 or higher, not SSLv2 or SSLv3, with high grade
+Example, MSA that requires TLSv1.2 or higher, with high grade ciphers:
-ciphers:
 
     /etc/postfix/main.cf:
         smtpd_tls_cert_file = /etc/postfix/cert.pem
@@ -658,10 +657,10 @@ ciphers:
         smtpd_tls_mandatory_ciphers = high
         smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
         smtpd_tls_security_level = encrypt
-        # Preferred syntax with Postfix >= 2.5:
+        # Preferred syntax with Postfix >= 3.6:
-        smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+        smtpd_tls_mandatory_protocols = >=TLSv1.2
         # Legacy syntax:
-        smtpd_tls_mandatory_protocols = TLSv1
+        smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 
 With Postfix >= 3.4, specify instead a single file that holds the key followed
 by the corresponding certificate and any associated issuing certificates,
@@ -924,9 +923,10 @@ not specified consistently.
     submission
 
     /etc/postfix/tls_policy:
-        [example.net]:587 encrypt protocols=TLSv1 ciphers=high
+        # Postfix >= 3.6 "protocols" syntax
-        [example.net]:msa encrypt protocols=TLSv1 ciphers=high
+        [example.net]:587 encrypt protocols=>=TLSv1.2 ciphers=high
-        [example.net]:submission encrypt protocols=TLSv1 ciphers=high
+        # Legacy "protocols" syntax
+        [example.net]:msa encrypt protocols=!SSLv2:!SSLv3 ciphers=high
 
 DDAANNEE TTLLSS aauutthheennttiiccaattiioonn..
 
@@ -1835,8 +1835,11 @@ Example:
         [thumb.example.org]         fingerprint
             match=b6:b4:72:34:e2:59:cd:fb:...:0d:4d:cc:2c:7d:84:de:e6:2f
             match=51:e9:af:2e:1e:40:1f:de:...:35:2d:09:16:31:5a:eb:82:76
-        # Postfix 2.6 and later
+        # Postfix >= 3.6 "protocols" syntax
-        example.info            may protocols=!SSLv2 ciphers=medium
+        example.info            may protocols=>=TLSv1 ciphers=medium
+    exclude=3DES
+        # Legacy protocols syntax
+        example.info            may protocols=!SSLv2:!SSLv3 ciphers=medium
     exclude=3DES
 
 NNoottee:: The "hostname" strategy if listed in a non-default setting of
@@ -1909,8 +1912,8 @@ the minimum opportunistic TLS cipher grade is always "export".
 With mandatory and opportunistic TLS encryption, the Postfix SMTP client will
 by default disable SSLv2 and SSLv3. The mandatory TLS protocol list is
 specified via the smtp_tls_mandatory_protocols configuration parameter. The
-corresponding smtp_tls_protocols parameter (Postfix >= 2.6) controls the SSL/
+corresponding smtp_tls_protocols parameter (Postfix >= 2.6) controls the TLS
-TLS protocols used with opportunistic TLS.
+protocols used with opportunistic TLS.
 
 Example:
 
@@ -1918,13 +1921,13 @@ Example:
         smtp_tls_mandatory_ciphers = medium
         smtp_tls_mandatory_exclude_ciphers = RC4, MD5
         smtp_tls_exclude_ciphers = aNULL
-        # Preferred form with Postfix >= 2.5:
-        smtp_tls_mandatory_protocols = !SSLv2
-        # Legacy form for Postfix < 2.5:
-        smtp_tls_mandatory_protocols = SSLv3, TLSv1
-        # Also available with Postfix >= 2.6:
         smtp_tls_ciphers = medium
-        smtp_tls_protocols = !SSLv2
+        # Preferred form with Postfix >= 3.6:
+        smtp_tls_mandatory_protocols = >=TLSv1.2
+        smtp_tls_protocols = >=TLSv1
+        # Legacy form for Postfix < 3.6:
+        smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+        smtp_tls_protocols = !SSLv2,!SSLv3
 
 CClliieenntt--ssiiddee SSMMTTPPSS ssuuppppoorrtt
 

postfix/html/TLS_README.html

@@ -179,10 +179,10 @@ configurations will not accidentally enable TLS without certificates.  </p>
 
 <p> Note that server certificates are <b>not</b> optional in TLS 1.3. To
 run without certificates you'd have to disable the TLS 1.3 protocol by
-including '!TLSv1.3' in "<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>" and perhaps also
+including "&lt;=TLSv1.2" (or, for Postfix &lt; 3.6, "!TLSv1.3") in
-"<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>".  It is simpler instead to just
+"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>" and perhaps also "<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>".
-configure a certificate chain.  Certificate-less operation is not
+It is simpler instead to just configure a certificate chain.
-recommended. <p>
+Certificate-less operation is not recommended. <p>
 
 <p> RSA, DSA and ECDSA (Postfix &ge; 2.6) certificates are supported.
 Most sites only have RSA certificates.  You can configure all three
@@ -891,7 +891,7 @@ after the middle of 2015; older releases only disable SSLv2 for
 mandatory TLS. The mandatory TLS protocol list is specified via the
 <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> configuration parameter.  The
 <a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> parameter (Postfix &ge; 2.6)
-controls the SSL/TLS protocols used with opportunistic TLS. </p>
+controls the TLS protocols used with opportunistic TLS. </p>
 
 <p> Note that the OpenSSL library only supports protocol exclusion
 (not inclusion). For this reason, Postfix can exclude only protocols
@@ -909,8 +909,8 @@ that TLSv1.3 be explicitly disabled. Therefore, they are not
 recommended, it is better and simpler to just configure a suitable
 certificate. </p>
 
-<p> Example, MSA that requires TLSv1 or higher, not SSLv2 or SSLv3,
+<p> Example, MSA that requires TLSv1.2 or higher, with high grade
-with high grade ciphers: </p>
+ciphers: </p>
 
 <blockquote>
 <pre>
@@ -920,10 +920,10 @@ with high grade ciphers: </p>
     <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> = high
     <a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL, MD5
     <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
-    # Preferred syntax with Postfix &ge; 2.5:
+    # Preferred syntax with Postfix &ge; 3.6:
-    <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
+    <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = &gt;=TLSv1.2
     # Legacy syntax:
-    <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = TLSv1
+    <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 </pre>
 </blockquote>
 
@@ -1263,9 +1263,10 @@ just in case the transport table entries are not specified consistently. </p>
     submission      587/tcp         msa             # mail message submission
 
 /etc/postfix/tls_policy:
-    [example.net]:587 encrypt protocols=TLSv1 ciphers=high
+    # Postfix &ge; 3.6 "protocols" syntax
-    [example.net]:msa encrypt protocols=TLSv1 ciphers=high
+    [example.net]:587 encrypt protocols=&gt;=TLSv1.2 ciphers=high
-    [example.net]:submission encrypt protocols=TLSv1 ciphers=high
+    # Legacy "protocols" syntax
+    [example.net]:msa encrypt protocols=!SSLv2:!SSLv3 ciphers=high
 </pre>
 </blockquote>
 
@@ -2398,8 +2399,10 @@ Example:
     [thumb.example.org]         fingerprint
         match=b6:b4:72:34:e2:59:cd:fb:...:0d:4d:cc:2c:7d:84:de:e6:2f
         match=51:e9:af:2e:1e:40:1f:de:...:35:2d:09:16:31:5a:eb:82:76
-    # Postfix 2.6 and later
+    # Postfix &ge; 3.6 "protocols" syntax
-    example.info            may protocols=!SSLv2 ciphers=medium exclude=3DES
+    example.info            may protocols=&gt;=TLSv1 ciphers=medium exclude=3DES
+    # Legacy protocols syntax
+    example.info            may protocols=!SSLv2:!SSLv3 ciphers=medium exclude=3DES
 </pre>
 </blockquote>
 
@@ -2494,7 +2497,7 @@ SMTP client will by default disable SSLv2 and SSLv3. The mandatory
 TLS protocol list is specified via the
 <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> configuration parameter.  The corresponding
 <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> parameter (Postfix &ge; 2.6) controls
-the SSL/TLS protocols used with opportunistic TLS. </p>
+the TLS protocols used with opportunistic TLS. </p>
 
 <p> Example: </p>
  
@@ -2504,13 +2507,13 @@ the SSL/TLS protocols used with opportunistic TLS. </p>
     <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = medium
     <a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> = RC4, MD5
     <a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = aNULL
-    # Preferred form with Postfix &ge; 2.5:
-    <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2
-    # Legacy form for Postfix &lt; 2.5:
-    <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = SSLv3, TLSv1
-    # Also available with Postfix &ge; 2.6:
     <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = medium
-    <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2
+    # Preferred form with Postfix &ge; 3.6:
+    <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=TLSv1.2
+    <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = &gt;=TLSv1
+    # Legacy form for Postfix &lt; 3.6:
+    <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+    <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2,!SSLv3
 </pre>
 </blockquote>
 

postfix/html/lmtp.8.html

@@ -508,9 +508,9 @@ SMTP(8)                                                                SMTP(8)
               policy by next-hop destination; when a non-empty value is speci-
               fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
 
-       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2, !SSLv3)</b>
+       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (see 'postconf -d' output)</b>
-              List of SSL/TLS protocols that the Postfix SMTP client will  use
+              TLS protocols that the Postfix SMTP client will use with  manda-
-              with mandatory TLS encryption.
+              tory TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
               The verification depth for remote SMTP server certificates.
@@ -573,9 +573,9 @@ SMTP(8)                                                                SMTP(8)
 
        Available in Postfix version 2.6 and later:
 
-       <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2, !SSLv3)</b>
+       <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see postconf -d output)</b>
-              List  of TLS protocols that the Postfix SMTP client will exclude
+              TLS  protocols that the Postfix SMTP client will use with oppor-
-              or include with opportunistic TLS encryption.
+              tunistic TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (medium)</b>
               The minimum TLS cipher grade that the Postfix SMTP  client  will

postfix/html/postconf.5.html

@@ -5420,7 +5420,7 @@ configuration parameter.  See there for details. </p>
 </DD>
 
 <DT><b><a name="lmtp_tls_mandatory_protocols">lmtp_tls_mandatory_protocols</a>
-(default: !SSLv2, !SSLv3)</b></DT><DD>
+(default: see postconf -d output)</b></DT><DD>
 
 <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
 configuration parameter. See there for details. </p>
@@ -5464,7 +5464,7 @@ configuration parameter. See there for details. </p>
 </DD>
 
 <DT><b><a name="lmtp_tls_protocols">lmtp_tls_protocols</a>
-(default: !SSLv2, !SSLv3)</b></DT><DD>
+(default: see postconf -d output)</b></DT><DD>
 
 <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> configuration
 parameter. See there for details. </p>
@@ -12881,74 +12881,92 @@ attribute. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_ma
 </DD>
 
 <DT><b><a name="smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
-(default: !SSLv2, !SSLv3)</b></DT><DD>
+(default: see "postconf -d" output)</b></DT><DD>
 
-<p> List of SSL/TLS protocols that the Postfix SMTP client will use with
+<p> TLS protocols that the Postfix SMTP client will use with mandatory
-mandatory TLS encryption.  In <a href="postconf.5.html">main.cf</a> the values are separated by
+TLS encryption.  In <a href="postconf.5.html">main.cf</a> the values are separated by whitespace,
-whitespace, commas or colons. In the policy table "protocols" attribute
+commas or colons. In the policy table "protocols" attribute (see
-(see <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>) the only valid separator is colon. An
+<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>) the only valid separator is colon. An empty value
-empty value means allow all protocols. The valid protocol names, (see
+means allow all protocols. </p>
-<b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and "TLSv1". The
-default value is "!SSLv2, !SSLv3" for Postfix releases after the
-middle of 2015, "!SSLv2" for older releases. </p>
 
-<p> With Postfix &ge; 2.5 the parameter syntax was expanded to support
+<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
-protocol exclusions. One can explicitly exclude "SSLv2" by setting
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2". To exclude both "SSLv2" and
+Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
-"SSLv3" set "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing
+the lowest supported TLS protocol version (see below).  Older releases
-the protocols to include, rather than protocols to exclude, is
+use the "!" exclusion syntax, also described below.  </p>
-supported, but not recommended. The exclusion form more closely
-matches the underlying OpenSSL interface semantics.
-</p>
 
-<p> The range of protocols advertised by an SSL/TLS client must be
+<p> As of Postfix 3.6, the preferred way to limit the range of
-contiguous.  When a protocol version is enabled, disabling any
+acceptable protocols is to set a lowest acceptable TLS protocol version
-higher version implicitly disables all versions above that higher version.
+and/or a highest acceptable TLS protocol version.  To set the lower
-Thus, for example (assuming the OpenSSL library supports both SSLv2
+bound include an element of the form: "&gt;=<i>version</i>" where
-and SSLv3):
+<i>version</i> is a either one of the TLS protocol names listed above,
-</p>
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "&lt;=<i>version</i>".  There must be no whitespace between
+the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
+
+<p> Hexadecimal protocol numbers make it possible to specify protocol
+bounds for TLS versions that are known to OpenSSL, but might not be
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version. </p>
+
+<p>Hexadecimal example (Postfix &ge; 3.6):</p>
 <blockquote>
 <pre>
-<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !TLSv1
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=TLSv1.2, &lt;=0305
+# Allow only TLS 1.2 and up:
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=0x0303
 </pre>
 </blockquote>
-<p> also disables any protocols version higher than TLSv1 leaving
-only "SSLv3" enabled.  </p>
 
-<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
-and "TLSv1.2". When Postfix &le; 2.5 is linked against OpenSSL 1.0.1
+version, and the protocol range is configured via protocol exclusions.
-or later, these, or any other new protocol versions, cannot be
+To require at least TLS 1.0, set "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2,
-disabled except by also disabling "TLSv1" (typically leaving just
+!SSLv3". Listing the protocols to include, rather than protocols to
-"SSLv3").  The latest patch levels of Postfix &ge; 2.6, and all
+exclude, is supported, but not recommended.  The exclusion syntax more
-versions of Postfix &ge; 2.10 can explicitly disable support for
+accurately matches the underlying OpenSSL interface.  </p>
-"TLSv1.1" or "TLSv1.2". </p>
 
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+<p> When using the exclusion syntax, take care to ensure that the range
-&ge; 3.4 (or patch releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
+of protocols supported by the Postfixm SMTP client is contiguous.  When
-this can be disabled, if need be, via "!TLSv1.3". </p>
+a protocol version is enabled, disabling any higher version implicitly
+disables all versions above that higher version.  Thus, for example: </p>
 
-<p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
+<blockquote>
-<a href="TLS_README.html#client_tls_dane">dane-only</a> security
+<pre>
-levels, when usable TLSA records are obtained for the remote SMTP
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3, !TLSv1.1
-server, the Postfix SMTP client is obligated to include the SNI TLS
+</pre>
-extension in its SSL client hello message.  This may help the remote
+</blockquote>
-SMTP server live up to its promise to provide a certificate that
+
-matches its TLSA records.  Since TLS extensions require TLS 1.0 or
+<p> also disables any protocols version higher than TLSv1.1 leaving
-later, the Postfix SMTP client must disable "SSLv2" and "SSLv3" when
+only "TLSv1" enabled.  </p>
-SNI is required.  If you use "dane" or "dane-only" do not disable
+
-TLSv1, except perhaps via the policy table for destinations which
+<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
-you are sure will support "TLSv1.1" or "TLSv1.2".  </p>
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
+
+<p> While the vast majority of SMTP servers with DANE TLSA records now
+support at least TLS 1.2, a few still only support TLS 1.0.  If you use
+"dane" or "dane-only" it is best to not disable TLSv1, except perhaps
+via the policy table for destinations which you are sure will support
+"TLSv1.2".  </p>
 
 <p> See the documentation of the <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> parameter and
 <a href="TLS_README.html">TLS_README</a> for more information about security levels. </p>
 
 <p> Example: </p>
-
 <pre>
-# Preferred syntax with Postfix &ge; 2.5:
+# Preferred syntax with Postfix &ge; 3.6:
-<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=TLSv1.2, &lt;=TLSv1.3
 # Legacy syntax:
-<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = TLSv1
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 </pre>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
@@ -13240,54 +13258,81 @@ configurations in environments where DNS security is not assured. </p>
 </DD>
 
 <DT><b><a name="smtp_tls_protocols">smtp_tls_protocols</a>
-(default: !SSLv2, !SSLv3)</b></DT><DD>
+(default: see postconf -d output)</b></DT><DD>
 
-<p> List of TLS protocols that the Postfix SMTP client will exclude or
+<p> TLS protocols that the Postfix SMTP client will use with
-include with opportunistic TLS encryption. The default value is
+opportunistic TLS encryption.  In <a href="postconf.5.html">main.cf</a> the values are separated by
-"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
+whitespace, commas or colons. In the policy table "protocols" attribute
-"!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP
+(see <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>) the only valid separator is colon.  An empty
-client would use all protocols with opportunistic TLS. </p>
+value means allow all protocols. </p>
 
-<p> In <a href="postconf.5.html">main.cf</a> the values are separated by whitespace, commas or
+<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
-colons. In the policy table (see <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>) the only valid
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-separator is colon. An empty value means allow all protocols. The valid
+Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
-protocol names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3"
+the lowest supported TLS protocol version (see below).  Older releases
-and "TLSv1". </p>
+use the "!" exclusion syntax, also described below.  </p>
 
-<p> The range of protocols advertised by an SSL/TLS client must be
+<p> As of Postfix 3.6, the preferred way to limit the range of
-contiguous.  When a protocol version is enabled, disabling any
+acceptable protocols is to set the lowest acceptable TLS protocol
-higher version implicitly disables all versions above that higher version.
+version and/or the highest acceptable TLS protocol version.  To set the
-Thus, for example (assuming the OpenSSL library supports both SSLv2
+lower bound include an element of the form: "&gt;=<i>version</i>" where
-and SSLv3):
+<i>version</i> is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "&lt;=<i>version</i>".  There must be no whitespace between
+the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
+
+<p> Hexadecimal protocol numbers make it possible to specify protocol
+bounds for TLS versions that are known to OpenSSL, but might not be
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version. </p>
+
+<p>Hexadecimal example (Postfix &ge; 3.6):</p>
+<blockquote>
+<pre>
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = &gt;=TLSv1, &lt;=0305
+# Allow only TLS 1.0 and up:
+<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = &gt;=0x0301
+</pre>
+</blockquote>
+
+<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3".
+Listing the protocols to include, rather than protocols to exclude, is
+supported, but not recommended.  The exclusion form more accurately
+matches the underlying OpenSSL interface.  </p>
+
+<p> When using the exclusion syntax, take care to ensure that the range of
+protocols advertised by an SSL/TLS client is contiguous.  When a protocol
+version is enabled, disabling any higher version implicitly disables all
+versions above that higher version.  Thus, for example:
 </p>
 <blockquote>
 <pre>
-<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !TLSv1
+<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3, !TLSv1.1
 </pre>
 </blockquote>
-<p> also disables any protocols version higher than TLSv1 leaving
+<p> also disables any protocols version higher than TLSv1.1 leaving
-only "SSLv3" enabled.  </p>
+only "TLSv1" enabled.  </p>
 
-<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
-and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
-versions of Postfix &ge; 2.10 can explicitly disable support for
+releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
-"TLSv1.1" or "TLSv1.2"</p>
-
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
-&ge; 3.4 (or patch releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
-this can be disabled, if need be, via "!TLSv1.3". </p>
-
-<p> To include a protocol list its name, to exclude it, prefix the name
-with a "!" character. To exclude SSLv2 for opportunistic TLS set
-"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
-"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, rather than protocols to exclude, is supported, but not
-recommended.  The exclusion form more closely matches the underlying
-OpenSSL interface semantics. </p>
 
 <p> Example: </p>
 <pre>
-# TLSv1 or better:
+# Preferred syntax with Postfix &ge; 3.6:
+<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = &gt;=TLSv1, &lt;=TLSv1.3
+# Legacy syntax:
 <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3
 </pre>
 
@@ -13479,12 +13524,13 @@ Examples:
 <pre>
 # Opportunistic TLS.
 <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
-# Postfix &ge; 2.6:
 # Do not tweak opportunistic ciphers or protocol unless it is essential
 # to do so (if a security vulnerability is found in the SSL library that
 # can be mitigated by disabling a particular protocol or raising the
-# cipher grade from "export" to "low" or "medium").
+# cipher grade).
-<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = export
+<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = medium
+<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = &gt;=TLSv1
+# Legacy (Postfix &lt; 3.6) syntax:
 <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3
 </pre>
 
@@ -13495,33 +13541,27 @@ Examples:
 </pre>
 
 <pre>
-# Mandatory TLS verification of hostname or nexthop domain.
+# Authenticated TLS 1.2 or better matching the nexthop domain or a
-<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = verify
+# subdomain.
-<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = high
-<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> = hostname, nexthop, dot-nexthop
-</pre>
-
-<pre>
-# Secure channel TLS with exact nexthop name match.
 <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = secure
-<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = TLSv1
 <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = high
-<a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> = nexthop
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=TLSv1.2
+<a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> = nexthop, dot-nexthop
 </pre>
 
 <pre>
 # Certificate fingerprint verification (Postfix &ge; 2.5).
 # The CA-less "fingerprint" security level only scales to a limited
 # number of destinations. As a global default rather than a per-site
-# setting, this is practical when mail for all recipients is sent
+# setting, this is practical only when mail for all recipients is sent
 # to a central mail hub.
 <a href="postconf.5.html#relayhost">relayhost</a> = [mailhub.example.com]
 <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = fingerprint
-<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=TLSv1.2
 <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = high
 <a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> =
-    3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
+    3D:95:34:51:...:40:99:C0:C1
-    EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+    EC:3B:2D:B0:...:A3:9D:72:F6
 </pre>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
@@ -17639,43 +17679,69 @@ works in addition to the exclusions listed with <a href="postconf.5.html#smtpd_t
 </DD>
 
 <DT><b><a name="smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>
-(default: !SSLv2, !SSLv3)</b></DT><DD>
+(default: see "postconf -d" output)</b></DT><DD>
 
-<p> The SSL/TLS protocols accepted by the Postfix SMTP server with
+<p> TLS protocols accepted by the Postfix SMTP server with mandatory TLS
-mandatory TLS encryption. If the list is empty, the server supports
+encryption.  If the list is empty, the server supports all available TLS
-all available SSL/TLS protocol versions.  A non-empty value is a
+protocol versions.  A non-empty value is a list of protocol names to
-list of protocol names separated by whitespace, commas or colons.
+include or exclude, separated by whitespace, commas or colons.  </p>
-The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and
-are not case sensitive. The default value is "!SSLv2, !SSLv3" for
-Postfix releases after the middle of 2015, "!SSLv2" for older
-releases. </p>
 
-<p> With Postfix &ge; 2.5 the parameter syntax was expanded to support
+<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
-protocol exclusions. One can explicitly exclude "SSLv2" by setting
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-"<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2". To exclude both "SSLv2" and
+Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
-"SSLv3" set "<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing
+the lowest supported TLS protocol version (see below).  Older releases
-the protocols to include, rather than protocols to exclude, is
+use the "!" exclusion syntax, also described below.  </p>
-supported, but not recommended. The exclusion form more closely
-matches the underlying OpenSSL interface semantics.  </p>
 
-<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+<p> As of Postfix 3.6, the preferred way to limit the range of
-and "TLSv1.2". When Postfix &le; 2.5 is linked against OpenSSL 1.0.1
+acceptable protocols is to set the lowest acceptable TLS protocol
-or later, these, or any other new protocol versions, cannot be
+version and/or the highest acceptable TLS protocol version.  To set the
-disabled.  The latest patch levels of Postfix &ge; 2.6, and all
+lower bound include an element of the form: "&gt;=<i>version</i>" where
-versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
+<i>version</i> is a either one of the TLS protocol names listed above,
-"TLSv1.2". </p>
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "&lt;=<i>version</i>".  There must be no whitespace between
+the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
 
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+<p> Hexadecimal protocol numbers make it possible to specify protocol
-&ge; 3.4 (or patch releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
+bounds for TLS versions that are known to OpenSSL, but might not be
-this can be disabled, if need be, via "!TLSv1.3". </p>
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version. </p>
+
+<p>Hexadecimal example (Postfix &ge; 3.6):</p>
+<blockquote>
+<pre>
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = &gt;=TLSv1.2, &lt;=0305
+# Allow only TLS 1.2 and up:
+<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = &gt;=0x0303
+</pre>
+</blockquote>
+
+<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> =
+!SSLv2, !SSLv3".  Listing the protocols to include, rather than
+protocols to exclude, is supported, but not recommended.  The exclusion
+form more accurately matches the underlying OpenSSL interface.  </p>
+
+<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
 
 <p> Example: </p>
 
 <pre>
-# Preferred syntax with Postfix &ge; 2.5:
+# Preferred syntax with Postfix &ge; 3.6:
-<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
+<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = &gt;=TLSv1.2, &lt;=TLSv1.3
 # Legacy syntax:
-<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = TLSv1
+<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 </pre>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
@@ -17684,36 +17750,67 @@ this can be disabled, if need be, via "!TLSv1.3". </p>
 </DD>
 
 <DT><b><a name="smtpd_tls_protocols">smtpd_tls_protocols</a>
-(default: !SSLv2, !SSLv3)</b></DT><DD>
+(default: see postconf -d output)</b></DT><DD>
 
-<p> List of TLS protocols that the Postfix SMTP server will exclude
+<p> TLS protocols accepted by the Postfix SMTP server with opportunistic
-or include with opportunistic TLS encryption. The default value is
+TLS encryption. If the list is empty, the server supports all available
-"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
+TLS protocol versions.  A non-empty value is a list of protocol names to
-empty for older releases allowing all protocols to be
+include or exclude, separated by whitespace, commas or colons.  </p>
-used with opportunistic TLS.  A non-empty value is a list of protocol
-names separated by whitespace, commas or colons.  The supported
-protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case
-sensitive. </p>
 
-<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
-and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
+Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
-"TLSv1.2". </p>
+the lowest supported TLS protocol version (see below).  Older releases
+use the "!" exclusion syntax, also described below.  </p>
 
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+<p> As of Postfix 3.6, the preferred way to limit the range of
-&ge; 3.4 (or patch releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
+acceptable protocols is to set the lowest acceptable TLS protocol
-this can be disabled, if need be, via "!TLSv1.3". </p>
+version and/or the highest acceptable TLS protocol version.  To set the
+lower bound include an element of the form: "&gt;=<i>version</i>" where
+<i>version</i> is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "&lt;=<i>version</i>".  There must be no whitespace between
+the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
 
-<p> To include a protocol list its name, to exclude it, prefix the name
+<p> Hexadecimal protocol numbers make it possible to specify protocol
-with a "!" character. To exclude SSLv2 for opportunistic TLS set
+bounds for TLS versions that are known to OpenSSL, but might not be
-"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
-"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to
+Leading "0" or "0x" prefixes are supported, but not required.
-include, rather than protocols to exclude, is supported, but not
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
-recommended.  The exclusion form more closely matches the underlying
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
-OpenSSL interface semantics. </p>
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version. </p>
+
+<p>Hexadecimal example (Postfix &ge; 3.6):</p>
+<blockquote>
+<pre>
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = &gt;=TLSv1, &lt;=0305
+# Allow only TLS 1.0 and up:
+<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = &gt;=0x0301
+</pre>
+</blockquote>
+
+<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2, !SSLv3".
+Listing the protocols to include, rather than protocols to exclude, is
+supported, but not recommended.  The exclusion form more accurately
+matches the underlying OpenSSL interface.  </p>
+
+<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
 
 <p> Example: </p>
 <pre>
+# Preferred syntax with Postfix &ge; 3.6:
+<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = &gt;=TLSv1, &lt;=TLSv1.3
+# Legacy syntax:
 <a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2, !SSLv3
 </pre>
 

postfix/html/posttls-finger.1.html

@@ -4,7 +4,7 @@
 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
 <title> Postfix manual - posttls-finger(1) </title>
 </head> <body> <pre>
-POSTTLS-FINGER(1)           General Commands Manual          POSTTLS-FINGER(1)
+POSTTLS-FINGER(1)                                            POSTTLS-FINGER(1)
 
 <b>NAME</b>
        posttls-finger - Probe the TLS properties of an ESMTP or LMTP server.
@@ -255,9 +255,9 @@ POSTTLS-FINGER(1)           General Commands Manual          POSTTLS-FINGER(1)
               ing the values of TLS library  parameters,  or  "<a href="postconf.5.html#myhostname">myhostname</a>"  to
               configure the SMTP EHLO name sent to the remote server.
 
-       <b>-p</b> <i>protocols</i> (default: !SSLv2)
+       <b>-p</b> <i>protocols</i> (default: &gt;=TLSv1)
-              List  of  TLS  protocols  that  posttls-finger  will  exclude or
+              TLS  protocols that posttls-finger will exclude or include.  See
-              include.  See <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> for details.
+              <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> for details.
 
        <b>-P</b> <i>CApath/</i> (default: none)
               The OpenSSL CApath/  directory  (indexed  via  c_rehash(1))  for
@@ -288,31 +288,31 @@ POSTTLS-FINGER(1)           General Commands Manual          POSTTLS-FINGER(1)
               reading the remote server's 220 banner.
 
        <b>-T</b> <i>timeout</i> (default: <b>30</b>)
-              The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT.
+              The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and  QUIT.
 
-       <b>-v</b>     Enable verbose Postfix  logging.   Specify  more  than  once  to
+       <b>-v</b>     Enable  verbose  Postfix  logging.   Specify  more  than once to
               increase the level of verbose logging.
 
-       <b>-w</b>     Enable  outgoing  TLS  wrapper  mode, or SMTPS support.  This is
+       <b>-w</b>     Enable outgoing TLS wrapper mode, or  SMTPS  support.   This  is
-              typically provided on port 465 by servers  that  are  compatible
+              typically  provided  on  port 465 by servers that are compatible
-              with  the  ad-hoc SMTP in SSL protocol, rather than the standard
+              with the ad-hoc SMTP in SSL protocol, rather than  the  standard
               STARTTLS protocol.  The destination <i>domain</i>:<i>port</i> should of course
               provide such a service.
 
-       <b>-X</b>     Enable  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  mode. This is an unsupported mode, for pro-
+       <b>-X</b>     Enable <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> mode. This is an unsupported mode,  for  pro-
               gram development only.
 
        [<b>inet:</b>]<i>domain</i>[:<i>port</i>]
               Connect via TCP to domain <i>domain</i>, port <i>port</i>. The default port is
-              <b>smtp</b>  (or 24 with LMTP).  With SMTP an MX lookup is performed to
+              <b>smtp</b> (or 24 with LMTP).  With SMTP an MX lookup is performed  to
-              resolve the domain to a host, unless the domain is  enclosed  in
+              resolve  the  domain to a host, unless the domain is enclosed in
-              <b>[]</b>.   If you want to connect to a specific MX host, for instance
+              <b>[]</b>.  If you want to connect to a specific MX host, for  instance
-              <i>mx1.example.com</i>, specify [<i>mx1.example.com</i>]  as  the  destination
+              <i>mx1.example.com</i>,  specify  [<i>mx1.example.com</i>]  as the destination
               and <i>example.com</i> as a <b>match</b> argument.  When using DNS, the desti-
-              nation domain is assumed fully qualified and no  default  domain
+              nation  domain  is assumed fully qualified and no <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a>
-              or  search  suffixes  are  applied; you must use fully-qualified
+              or search suffixes are applied;  you  must  use  fully-qualified
-              names or also enable <b>native</b> host lookups  (these  don't  support
+              names  or  also  enable <b>native</b> host lookups (these don't support
-              <b>dane</b>  or <b>dane-only</b> as no DNSSEC validation information is avail-
+              <b>dane</b> or <b>dane-only</b> as no DNSSEC validation information is  avail-
               able via <b>native</b> lookups).
 
        <b>unix:</b><i>pathname</i>
@@ -321,8 +321,8 @@ POSTTLS-FINGER(1)           General Commands Manual          POSTTLS-FINGER(1)
        <b>match ...</b>
               With no match arguments specified, certificate peername matching
               uses the compiled-in default strategies for each security level.
-              If you specify one or more arguments, these will be used as  the
+              If  you specify one or more arguments, these will be used as the
-              list  of certificate or public-key digests to match for the <b>fin-</b>
+              list of certificate or public-key digests to match for the  <b>fin-</b>
               <b>gerprint</b> level, or as the list of DNS names to match in the cer-
               tificate at the <b>verify</b> and <b>secure</b> levels.  If the security level
               is <b>dane</b>, or <b>dane-only</b> the match names are ignored, and <b>hostname,</b>

postfix/html/smtp.8.html

@@ -508,9 +508,9 @@ SMTP(8)                                                                SMTP(8)
               policy by next-hop destination; when a non-empty value is speci-
               fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
 
-       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2, !SSLv3)</b>
+       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (see 'postconf -d' output)</b>
-              List of SSL/TLS protocols that the Postfix SMTP client will  use
+              TLS protocols that the Postfix SMTP client will use with  manda-
-              with mandatory TLS encryption.
+              tory TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
               The verification depth for remote SMTP server certificates.
@@ -573,9 +573,9 @@ SMTP(8)                                                                SMTP(8)
 
        Available in Postfix version 2.6 and later:
 
-       <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2, !SSLv3)</b>
+       <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see postconf -d output)</b>
-              List  of TLS protocols that the Postfix SMTP client will exclude
+              TLS  protocols that the Postfix SMTP client will use with oppor-
-              or include with opportunistic TLS encryption.
+              tunistic TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (medium)</b>
               The minimum TLS cipher grade that the Postfix SMTP  client  will

postfix/html/smtpd.8.html

@@ -475,9 +475,9 @@ SMTPD(8)                                                              SMTPD(8)
               Postfix  SMTP  server cipher list at mandatory TLS security lev-
               els.
 
-       <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (!SSLv2, !SSLv3)</b>
+       <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (see 'postconf -d' output)</b>
-              The SSL/TLS protocols accepted by the Postfix SMTP  server  with
+              TLS protocols accepted by the Postfix SMTP server with mandatory
-              mandatory TLS encryption.
+              TLS encryption.
 
        <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
               Request that the Postfix SMTP server produces Received:  message
@@ -524,9 +524,9 @@ SMTPD(8)                                                              SMTPD(8)
 
        Available in Postfix version 2.6 and later:
 
-       <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (!SSLv2, !SSLv3)</b>
+       <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (see postconf -d output)</b>
-              List  of TLS protocols that the Postfix SMTP server will exclude
+              TLS  protocols  accepted  by the Postfix SMTP server with oppor-
-              or include with opportunistic TLS encryption.
+              tunistic TLS encryption.
 
        <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (medium)</b>
               The minimum TLS cipher grade that the Postfix SMTP  server  will

postfix/man/man1/posttls-finger.1

@@ -230,8 +230,8 @@ Specify zero or more times to override the value of the main.cf
 parameter \fIname\fR with \fIvalue\fR.  Possible use\-cases include
 overriding the values of TLS library parameters, or "myhostname" to
 configure the SMTP EHLO name sent to the remote server.
-.IP "\fB\-p \fIprotocols\fR (default: !SSLv2)"
+.IP "\fB\-p \fIprotocols\fR (default: >=TLSv1)"
-List of TLS protocols that posttls\-finger will exclude or include.  See
+TLS protocols that posttls\-finger will exclude or include.  See
 smtp_tls_mandatory_protocols for details.
 .IP "\fB\-P \fICApath/\fR (default: none)"
 The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote

postfix/man/man5/postconf.5

@@ -3242,7 +3242,7 @@ The LMTP\-specific version of the smtp_tls_mandatory_exclude_ciphers
 configuration parameter.  See there for details.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH lmtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)
+.SH lmtp_tls_mandatory_protocols (default: see postconf \-d output)
 The LMTP\-specific version of the smtp_tls_mandatory_protocols
 configuration parameter. See there for details.
 .PP
@@ -3262,7 +3262,7 @@ The LMTP\-specific version of the smtp_tls_policy_maps
 configuration parameter. See there for details.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH lmtp_tls_protocols (default: !SSLv2, !SSLv3)
+.SH lmtp_tls_protocols (default: see postconf \-d output)
 The LMTP\-specific version of the smtp_tls_protocols configuration
 parameter. See there for details.
 .PP
@@ -8373,78 +8373,102 @@ specified on a per\-destination basis via the TLS policy "exclude"
 attribute. See smtp_tls_policy_maps for notes and examples.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)
+.SH smtp_tls_mandatory_protocols (default: see "postconf \-d" output)
-List of SSL/TLS protocols that the Postfix SMTP client will use with
+TLS protocols that the Postfix SMTP client will use with mandatory
-mandatory TLS encryption.  In main.cf the values are separated by
+TLS encryption.  In main.cf the values are separated by whitespace,
-whitespace, commas or colons. In the policy table "protocols" attribute
+commas or colons. In the policy table "protocols" attribute (see
-(see smtp_tls_policy_maps) the only valid separator is colon. An
+smtp_tls_policy_maps) the only valid separator is colon. An empty value
-empty value means allow all protocols. The valid protocol names, (see
+means allow all protocols.
-\\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1". The
-default value is "!SSLv2, !SSLv3" for Postfix releases after the
-middle of 2015, "!SSLv2" for older releases.
 .PP
-With Postfix >= 2.5 the parameter syntax was expanded to support
+The valid protocol names (see \fBSSL_get_version\fR(3)) are "SSLv2",
-protocol exclusions. One can explicitly exclude "SSLv2" by setting
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-"smtp_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
+Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as
-"SSLv3" set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
+the lowest supported TLS protocol version (see below).  Older releases
-the protocols to include, rather than protocols to exclude, is
+use the "!" exclusion syntax, also described below.
-supported, but not recommended. The exclusion form more closely
-matches the underlying OpenSSL interface semantics.
 .PP
-The range of protocols advertised by an SSL/TLS client must be
+As of Postfix 3.6, the preferred way to limit the range of
-contiguous.  When a protocol version is enabled, disabling any
+acceptable protocols is to set a lowest acceptable TLS protocol version
-higher version implicitly disables all versions above that higher version.
+and/or a highest acceptable TLS protocol version.  To set the lower
-Thus, for example (assuming the OpenSSL library supports both SSLv2
+bound include an element of the form: ">=\fIversion\fR" where
-and SSLv3):
+\fIversion\fR is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "<=\fIversion\fR".  There must be no whitespace between
+the ">=" or "<=" symbols and the protocol name or number.
+.PP
+Hexadecimal protocol numbers make it possible to specify protocol
+bounds for TLS versions that are known to OpenSSL, but might not be
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version.
+.PP
+Hexadecimal example (Postfix >= 3.6):
 .sp
 .in +4
 .nf
 .na
 .ft C
-smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305
+# Allow only TLS 1.2 and up:
+smtp_tls_mandatory_protocols = >=0x0303
 .fi
 .ad
 .ft R
 .in -4
-also disables any protocols version higher than TLSv1 leaving
-only "SSLv3" enabled.
 .PP
-Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+With Postfix < 3.6 there is no support for a minimum or maximum
-and "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1
+version, and the protocol range is configured via protocol exclusions.
-or later, these, or any other new protocol versions, cannot be
+To require at least TLS 1.0, set "smtp_tls_mandatory_protocols = !SSLv2,
-disabled except by also disabling "TLSv1" (typically leaving just
+!SSLv3". Listing the protocols to include, rather than protocols to
-"SSLv3").  The latest patch levels of Postfix >= 2.6, and all
+exclude, is supported, but not recommended.  The exclusion syntax more
-versions of Postfix >= 2.10 can explicitly disable support for
+accurately matches the underlying OpenSSL interface.
-"TLSv1.1" or "TLSv1.2".
 .PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+When using the exclusion syntax, take care to ensure that the range
->= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
+of protocols supported by the Postfixm SMTP client is contiguous.  When
-this can be disabled, if need be, via "!TLSv1.3".
+a protocol version is enabled, disabling any higher version implicitly
+disables all versions above that higher version.  Thus, for example:
+.sp
+.in +4
+.nf
+.na
+.ft C
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
+.fi
+.ad
+.ft R
+.in -4
 .PP
-At the dane and
+also disables any protocols version higher than TLSv1.1 leaving
-dane\-only security
+only "TLSv1" enabled.
-levels, when usable TLSA records are obtained for the remote SMTP
+.PP
-server, the Postfix SMTP client is obligated to include the SNI TLS
+Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
-extension in its SSL client hello message.  This may help the remote
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
-SMTP server live up to its promise to provide a certificate that
+releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
-matches its TLSA records.  Since TLS extensions require TLS 1.0 or
+.PP
-later, the Postfix SMTP client must disable "SSLv2" and "SSLv3" when
+While the vast majority of SMTP servers with DANE TLSA records now
-SNI is required.  If you use "dane" or "dane\-only" do not disable
+support at least TLS 1.2, a few still only support TLS 1.0.  If you use
-TLSv1, except perhaps via the policy table for destinations which
+"dane" or "dane\-only" it is best to not disable TLSv1, except perhaps
-you are sure will support "TLSv1.1" or "TLSv1.2".
+via the policy table for destinations which you are sure will support
+"TLSv1.2".
 .PP
 See the documentation of the smtp_tls_policy_maps parameter and
 TLS_README for more information about security levels.
 .PP
 Example:
-.PP
 .nf
 .na
 .ft C
-# Preferred syntax with Postfix >= 2.5:
+# Preferred syntax with Postfix >= 3.6:
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
 # Legacy syntax:
-smtp_tls_mandatory_protocols = TLSv1
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 .fi
 .ad
 .ft R
@@ -8716,59 +8740,91 @@ DNS forgery. Do not use the \fBhostname\fR strategy for secure\-channel
 configurations in environments where DNS security is not assured.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtp_tls_protocols (default: !SSLv2, !SSLv3)
+.SH smtp_tls_protocols (default: see postconf \-d output)
-List of TLS protocols that the Postfix SMTP client will exclude or
+TLS protocols that the Postfix SMTP client will use with
-include with opportunistic TLS encryption. The default value is
+opportunistic TLS encryption.  In main.cf the values are separated by
-"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
+whitespace, commas or colons. In the policy table "protocols" attribute
-"!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP
+(see smtp_tls_policy_maps) the only valid separator is colon.  An empty
-client would use all protocols with opportunistic TLS.
+value means allow all protocols.
 .PP
-In main.cf the values are separated by whitespace, commas or
+The valid protocol names (see \fBSSL_get_version\fR(3)) are "SSLv2",
-colons. In the policy table (see smtp_tls_policy_maps) the only valid
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-separator is colon. An empty value means allow all protocols. The valid
+Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as
-protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3"
+the lowest supported TLS protocol version (see below).  Older releases
-and "TLSv1".
+use the "!" exclusion syntax, also described below.
 .PP
-The range of protocols advertised by an SSL/TLS client must be
+As of Postfix 3.6, the preferred way to limit the range of
-contiguous.  When a protocol version is enabled, disabling any
+acceptable protocols is to set the lowest acceptable TLS protocol
-higher version implicitly disables all versions above that higher version.
+version and/or the highest acceptable TLS protocol version.  To set the
-Thus, for example (assuming the OpenSSL library supports both SSLv2
+lower bound include an element of the form: ">=\fIversion\fR" where
-and SSLv3):
+\fIversion\fR is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "<=\fIversion\fR".  There must be no whitespace between
+the ">=" or "<=" symbols and the protocol name or number.
+.PP
+Hexadecimal protocol numbers make it possible to specify protocol
+bounds for TLS versions that are known to OpenSSL, but might not be
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version.
+.PP
+Hexadecimal example (Postfix >= 3.6):
 .sp
 .in +4
 .nf
 .na
 .ft C
-smtp_tls_protocols = !SSLv2, !TLSv1
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtp_tls_protocols = >=TLSv1, <=0305
+# Allow only TLS 1.0 and up:
+smtp_tls_protocols = >=0x0301
 .fi
 .ad
 .ft R
 .in -4
-also disables any protocols version higher than TLSv1 leaving
-only "SSLv3" enabled.
 .PP
-Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+With Postfix < 3.6 there is no support for a minimum or maximum
-and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
+version, and the protocol range is configured via protocol exclusions.
-versions of Postfix >= 2.10 can explicitly disable support for
+To require at least TLS 1.0, set "smtp_tls_protocols = !SSLv2, !SSLv3".
-"TLSv1.1" or "TLSv1.2"
+Listing the protocols to include, rather than protocols to exclude, is
+supported, but not recommended.  The exclusion form more accurately
+matches the underlying OpenSSL interface.
 .PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+When using the exclusion syntax, take care to ensure that the range of
->= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
+protocols advertised by an SSL/TLS client is contiguous.  When a protocol
-this can be disabled, if need be, via "!TLSv1.3".
+version is enabled, disabling any higher version implicitly disables all
+versions above that higher version.  Thus, for example:
+.sp
+.in +4
+.nf
+.na
+.ft C
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1
+.fi
+.ad
+.ft R
+.in -4
+also disables any protocols version higher than TLSv1.1 leaving
+only "TLSv1" enabled.
 .PP
-To include a protocol list its name, to exclude it, prefix the name
+Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
-with a "!" character. To exclude SSLv2 for opportunistic TLS set
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
-"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
+releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
-"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, rather than protocols to exclude, is supported, but not
-recommended.  The exclusion form more closely matches the underlying
-OpenSSL interface semantics.
 .PP
 Example:
 .nf
 .na
 .ft C
-# TLSv1 or better:
+# Preferred syntax with Postfix >= 3.6:
+smtp_tls_protocols = >=TLSv1, <=TLSv1.3
+# Legacy syntax:
 smtp_tls_protocols = !SSLv2, !SSLv3
 .fi
 .ad
@@ -8947,12 +9003,13 @@ smtp_tls_security_level = none
 .ft C
 # Opportunistic TLS.
 smtp_tls_security_level = may
-# Postfix >= 2.6:
 # Do not tweak opportunistic ciphers or protocol unless it is essential
 # to do so (if a security vulnerability is found in the SSL library that
 # can be mitigated by disabling a particular protocol or raising the
-# cipher grade from "export" to "low" or "medium").
+# cipher grade).
-smtp_tls_ciphers = export
+smtp_tls_ciphers = medium
+smtp_tls_protocols = >=TLSv1
+# Legacy (Postfix < 3.6) syntax:
 smtp_tls_protocols = !SSLv2, !SSLv3
 .fi
 .ad
@@ -8971,22 +9028,12 @@ smtp_tls_mandatory_ciphers = high
 .nf
 .na
 .ft C
-# Mandatory TLS verification of hostname or nexthop domain.
+# Authenticated TLS 1.2 or better matching the nexthop domain or a
-smtp_tls_security_level = verify
+# subdomain.
-smtp_tls_mandatory_ciphers = high
-smtp_tls_verify_cert_match = hostname, nexthop, dot\-nexthop
-.fi
-.ad
-.ft R
-.PP
-.nf
-.na
-.ft C
-# Secure channel TLS with exact nexthop name match.
 smtp_tls_security_level = secure
-smtp_tls_mandatory_protocols = TLSv1
 smtp_tls_mandatory_ciphers = high
-smtp_tls_secure_cert_match = nexthop
+smtp_tls_mandatory_protocols = >=TLSv1.2
+smtp_tls_secure_cert_match = nexthop, dot\-nexthop
 .fi
 .ad
 .ft R
@@ -8997,15 +9044,15 @@ smtp_tls_secure_cert_match = nexthop
 # Certificate fingerprint verification (Postfix >= 2.5).
 # The CA\-less "fingerprint" security level only scales to a limited
 # number of destinations. As a global default rather than a per\-site
-# setting, this is practical when mail for all recipients is sent
+# setting, this is practical only when mail for all recipients is sent
 # to a central mail hub.
 relayhost = [mailhub.example.com]
 smtp_tls_security_level = fingerprint
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_mandatory_protocols = >=TLSv1.2
 smtp_tls_mandatory_ciphers = high
 smtp_tls_fingerprint_cert_match =
-    3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
+    3D:95:34:51:...:40:99:C0:C1
-    EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+    EC:3B:2D:B0:...:A3:9D:72:F6
 .fi
 .ad
 .ft R
@@ -12280,80 +12327,147 @@ works in addition to the exclusions listed with smtpd_tls_exclude_ciphers
 (see there for syntax details).
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtpd_tls_mandatory_protocols (default: !SSLv2, !SSLv3)
+.SH smtpd_tls_mandatory_protocols (default: see "postconf \-d" output)
-The SSL/TLS protocols accepted by the Postfix SMTP server with
+TLS protocols accepted by the Postfix SMTP server with mandatory TLS
-mandatory TLS encryption. If the list is empty, the server supports
+encryption.  If the list is empty, the server supports all available TLS
-all available SSL/TLS protocol versions.  A non\-empty value is a
+protocol versions.  A non\-empty value is a list of protocol names to
-list of protocol names separated by whitespace, commas or colons.
+include or exclude, separated by whitespace, commas or colons.
-The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and
-are not case sensitive. The default value is "!SSLv2, !SSLv3" for
-Postfix releases after the middle of 2015, "!SSLv2" for older
-releases.
 .PP
-With Postfix >= 2.5 the parameter syntax was expanded to support
+The valid protocol names (see \fBSSL_get_version\fR(3)) are "SSLv2",
-protocol exclusions. One can explicitly exclude "SSLv2" by setting
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-"smtpd_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
+Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as
-"SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
+the lowest supported TLS protocol version (see below).  Older releases
-the protocols to include, rather than protocols to exclude, is
+use the "!" exclusion syntax, also described below.
-supported, but not recommended. The exclusion form more closely
-matches the underlying OpenSSL interface semantics.
 .PP
-Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+As of Postfix 3.6, the preferred way to limit the range of
-and "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1
+acceptable protocols is to set the lowest acceptable TLS protocol
-or later, these, or any other new protocol versions, cannot be
+version and/or the highest acceptable TLS protocol version.  To set the
-disabled.  The latest patch levels of Postfix >= 2.6, and all
+lower bound include an element of the form: ">=\fIversion\fR" where
-versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
+\fIversion\fR is a either one of the TLS protocol names listed above,
-"TLSv1.2".
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "<=\fIversion\fR".  There must be no whitespace between
+the ">=" or "<=" symbols and the protocol name or number.
 .PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+Hexadecimal protocol numbers make it possible to specify protocol
->= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
+bounds for TLS versions that are known to OpenSSL, but might not be
-this can be disabled, if need be, via "!TLSv1.3".
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version.
+.PP
+Hexadecimal example (Postfix >= 3.6):
+.sp
+.in +4
+.nf
+.na
+.ft C
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305
+# Allow only TLS 1.2 and up:
+smtpd_tls_mandatory_protocols = >=0x0303
+.fi
+.ad
+.ft R
+.in -4
+.PP
+With Postfix < 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "smtpd_tls_mandatory_protocols =
+!SSLv2, !SSLv3".  Listing the protocols to include, rather than
+protocols to exclude, is supported, but not recommended.  The exclusion
+form more accurately matches the underlying OpenSSL interface.
+.PP
+Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
 .PP
 Example:
 .PP
 .nf
 .na
 .ft C
-# Preferred syntax with Postfix >= 2.5:
+# Preferred syntax with Postfix >= 3.6:
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
 # Legacy syntax:
-smtpd_tls_mandatory_protocols = TLSv1
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 .fi
 .ad
 .ft R
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtpd_tls_protocols (default: !SSLv2, !SSLv3)
+.SH smtpd_tls_protocols (default: see postconf \-d output)
-List of TLS protocols that the Postfix SMTP server will exclude
+TLS protocols accepted by the Postfix SMTP server with opportunistic
-or include with opportunistic TLS encryption. The default value is
+TLS encryption. If the list is empty, the server supports all available
-"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
+TLS protocol versions.  A non\-empty value is a list of protocol names to
-empty for older releases allowing all protocols to be
+include or exclude, separated by whitespace, commas or colons.
-used with opportunistic TLS.  A non\-empty value is a list of protocol
-names separated by whitespace, commas or colons.  The supported
-protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case
-sensitive.
 .PP
-Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+The valid protocol names (see \fBSSL_get_version\fR(3)) are "SSLv2",
-and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
+Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as
-"TLSv1.2".
+the lowest supported TLS protocol version (see below).  Older releases
+use the "!" exclusion syntax, also described below.
 .PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+As of Postfix 3.6, the preferred way to limit the range of
->= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
+acceptable protocols is to set the lowest acceptable TLS protocol
-this can be disabled, if need be, via "!TLSv1.3".
+version and/or the highest acceptable TLS protocol version.  To set the
+lower bound include an element of the form: ">=\fIversion\fR" where
+\fIversion\fR is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "<=\fIversion\fR".  There must be no whitespace between
+the ">=" or "<=" symbols and the protocol name or number.
 .PP
-To include a protocol list its name, to exclude it, prefix the name
+Hexadecimal protocol numbers make it possible to specify protocol
-with a "!" character. To exclude SSLv2 for opportunistic TLS set
+bounds for TLS versions that are known to OpenSSL, but might not be
-"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
-"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
+Leading "0" or "0x" prefixes are supported, but not required.
-include, rather than protocols to exclude, is supported, but not
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
-recommended.  The exclusion form more closely matches the underlying
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
-OpenSSL interface semantics.
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version.
+.PP
+Hexadecimal example (Postfix >= 3.6):
+.sp
+.in +4
+.nf
+.na
+.ft C
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtpd_tls_protocols = >=TLSv1, <=0305
+# Allow only TLS 1.0 and up:
+smtpd_tls_protocols = >=0x0301
+.fi
+.ad
+.ft R
+.in -4
+.PP
+With Postfix < 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "smtpd_tls_protocols = !SSLv2, !SSLv3".
+Listing the protocols to include, rather than protocols to exclude, is
+supported, but not recommended.  The exclusion form more accurately
+matches the underlying OpenSSL interface.
+.PP
+Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
 .PP
 Example:
 .nf
 .na
 .ft C
+# Preferred syntax with Postfix >= 3.6:
+smtpd_tls_protocols = >=TLSv1, <=TLSv1.3
+# Legacy syntax:
 smtpd_tls_protocols = !SSLv2, !SSLv3
 .fi
 .ad
@@ -12845,7 +12959,7 @@ bug work\-arounds to disable.
 If the value of the parameter is a hexadecimal long integer starting
 with "0x", the bug work\-arounds corresponding to the bits specified in
 its value are removed from the \fBSSL_OP_ALL\fR work\-around bit\-mask
-(see openssl/ssl.h and SSL_CTX_\fBset_options\fR(3)). You can specify more
+(see openssl/ssl.h and \fBSSL_CTX_set_options\fR(3)). You can specify more
 bits than are present in SSL_OP_ALL, excess bits are ignored. Specifying
 0xFFFFFFFF disables all bug\-workarounds on a 32\-bit system. This should
 also be sufficient on 64\-bit systems, until OpenSSL abandons support
@@ -12863,17 +12977,17 @@ OpenSSL 1.0.0.
 .br
 .IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fR"
 See
-SSL_CTX_\fBset_options\fR(3)
+\fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBLEGACY_SERVER_CONNECT\fR"
-See SSL_CTX_\fBset_options\fR(3)
+See \fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBMICROSOFT_BIG_SSLV3_BUFFER\fR"
 See
-SSL_CTX_\fBset_options\fR(3)
+\fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBMICROSOFT_SESS_ID_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+See \fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBMSIE_SSLV2_RSA_PADDING\fR"
 also aliased as
@@ -12882,7 +12996,7 @@ default with OpenSSL versions that may predate the fix. Fixed in
 OpenSSL 0.9.7h and OpenSSL 0.9.8a.
 .br
 .IP "\fBNETSCAPE_CHALLENGE_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+See \fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR"
 also aliased
@@ -12892,25 +13006,25 @@ OpenSSL 0.9.8q and OpenSSL 1.0.0c.
 .br
 .IP "\fBSSLEAY_080_CLIENT_DH_BUG\fR"
 See
-SSL_CTX_\fBset_options\fR(3)
+\fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fR"
 See
-SSL_CTX_\fBset_options\fR(3)
+\fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBTLS_BLOCK_PADDING_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+See \fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBTLS_D5_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+See \fBSSL_CTX_set_options\fR(3)
 .br
 .IP "\fBTLS_ROLLBACK_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3).
+See \fBSSL_CTX_set_options\fR(3).
 This is disabled in OpenSSL 0.9.7 and later. Nobody should still
 be using 0.9.6!
 .br
 .IP "\fBTLSEXT_PADDING\fR"
-Postfix >= 3.4. See SSL_CTX_\fBset_options\fR(3).
+Postfix >= 3.4. See \fBSSL_CTX_set_options\fR(3).
 .br
 .br
 .PP
@@ -13291,7 +13405,7 @@ solution.
 .PP
 If the value of the parameter is a hexadecimal long integer
 starting with "0x", the options corresponding to the bits specified
-in its value are enabled (see openssl/ssl.h and SSL_CTX_\fBset_options\fR(3)).
+in its value are enabled (see openssl/ssl.h and \fBSSL_CTX_set_options\fR(3)).
 You can only enable options not already controlled by other Postfix
 settings.  For example, you cannot disable protocols or enable
 server cipher preference.  Do not attempt to turn all features by
@@ -13301,16 +13415,16 @@ if/when they're no longer enabled by default.  The supported values
 include:
 .IP "\fBENABLE_MIDDLEBOX_COMPAT\fR"
 Postfix >= 3.4. See
-SSL_CTX_\fBset_options\fR(3).
+\fBSSL_CTX_set_options\fR(3).
 .br
 .IP "\fBLEGACY_SERVER_CONNECT\fR"
-See SSL_CTX_\fBset_options\fR(3).
+See \fBSSL_CTX_set_options\fR(3).
 .br
 .IP "\fBNO_TICKET\fR"
 Enabled by default when needed in
 fully\-patched Postfix >= 2.7.  Not needed at all for Postfix >=
 2.11, unless for some reason you do not want to support TLS session
-resumption.  Best not set explicitly.  See SSL_CTX_\fBset_options\fR(3).
+resumption.  Best not set explicitly.  See \fBSSL_CTX_set_options\fR(3).
 .br
 .IP "\fBNO_COMPRESSION\fR"
 Disable SSL compression even if
@@ -13320,14 +13434,14 @@ and compression before encryption does not always improve security.
 .IP "\fBNO_RENEGOTIATION\fR"
 Postfix >= 3.4.  This can
 reduce opportunities for a potential CPU exhaustion attack.  See
-SSL_CTX_\fBset_options\fR(3).
+\fBSSL_CTX_set_options\fR(3).
 .br
 .IP "\fBNO_SESSION_RESUMPTION_ON_RENEGOTIATION\fR"
 Postfix
->= 3.4. See SSL_CTX_\fBset_options\fR(3).
+>= 3.4. See \fBSSL_CTX_set_options\fR(3).
 .br
 .IP "\fBPRIORITIZE_CHACHA\fR"
-Postfix >= 3.4. See SSL_CTX_\fBset_options\fR(3).
+Postfix >= 3.4. See \fBSSL_CTX_set_options\fR(3).
 .br
 .br
 .PP

postfix/man/man8/smtp.8

@@ -482,9 +482,9 @@ when TLS is not already enabled for that server.
 Optional lookup tables with the Postfix SMTP client TLS security
 policy by next\-hop destination; when a non\-empty value is specified,
 this overrides the obsolete smtp_tls_per_site parameter.
-.IP "\fBsmtp_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR"
+.IP "\fBsmtp_tls_mandatory_protocols (see 'postconf -d' output)\fR"
-List of SSL/TLS protocols that the Postfix SMTP client will use with
+TLS protocols that the Postfix SMTP client will use with mandatory
-mandatory TLS encryption.
+TLS encryption.
 .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
 The verification depth for remote SMTP server certificates.
 .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot\-nexthop)\fR"
@@ -532,9 +532,9 @@ The message digest algorithm used to construct remote SMTP server
 certificate fingerprints.
 .PP
 Available in Postfix version 2.6 and later:
-.IP "\fBsmtp_tls_protocols (!SSLv2, !SSLv3)\fR"
+.IP "\fBsmtp_tls_protocols (see postconf -d output)\fR"
-List of TLS protocols that the Postfix SMTP client will exclude or
+TLS protocols that the Postfix SMTP client will use with
-include with opportunistic TLS encryption.
+opportunistic TLS encryption.
 .IP "\fBsmtp_tls_ciphers (medium)\fR"
 The minimum TLS cipher grade that the Postfix SMTP client
 will use with opportunistic TLS encryption.

postfix/man/man8/smtpd.8

@@ -439,9 +439,9 @@ use with mandatory TLS encryption.
 .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
 Additional list of ciphers or cipher types to exclude from the
 Postfix SMTP server cipher list at mandatory TLS security levels.
-.IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR"
+.IP "\fBsmtpd_tls_mandatory_protocols (see 'postconf -d' output)\fR"
-The SSL/TLS protocols accepted by the Postfix SMTP server with
+TLS protocols accepted by the Postfix SMTP server with mandatory TLS
-mandatory TLS encryption.
+encryption.
 .IP "\fBsmtpd_tls_received_header (no)\fR"
 Request that the Postfix SMTP server produces Received:  message
 headers that include information about the protocol and cipher used,
@@ -476,9 +476,9 @@ fingerprints or public key fingerprints (Postfix 2.9 and later) for
 \fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR.
 .PP
 Available in Postfix version 2.6 and later:
-.IP "\fBsmtpd_tls_protocols (!SSLv2, !SSLv3)\fR"
+.IP "\fBsmtpd_tls_protocols (see postconf -d output)\fR"
-List of TLS protocols that the Postfix SMTP server will exclude
+TLS protocols accepted by the Postfix SMTP server with opportunistic
-or include with opportunistic TLS encryption.
+TLS encryption.
 .IP "\fBsmtpd_tls_ciphers (medium)\fR"
 The minimum TLS cipher grade that the Postfix SMTP server
 will use with opportunistic TLS encryption.

postfix/mantools/postconf2man

@@ -88,7 +88,7 @@ while(<>) {
     $block =~ s/\s+\n/\n/g;
     $block =~ s/^\n//g;
     $block =~ s/\s*<\s*nroffescape\s+([^ >]+)\s*>\s*/\n\1\n/g;
-    $block =~ s/([a-z][_a-zA-Z0-9-]*)(\([0-9]\))/\\fB\1\\fR\2/g;
+    $block =~ s/([A-Za-z][_a-zA-Z0-9-]*)(\([0-9]\))/\\fB\1\\fR\2/g;
     print $block;
     $wantpp = !($block =~ /^\.(SH|IP)/);
 }

postfix/proto/TLS_README.html

@@ -179,10 +179,10 @@ configurations will not accidentally enable TLS without certificates.  </p>
 
 <p> Note that server certificates are <b>not</b> optional in TLS 1.3. To
 run without certificates you'd have to disable the TLS 1.3 protocol by
-including '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also
+including "&lt;=TLSv1.2" (or, for Postfix &lt; 3.6, "!TLSv1.3") in
-"smtpd_tls_mandatory_protocols".  It is simpler instead to just
+"smtpd_tls_protocols" and perhaps also "smtpd_tls_mandatory_protocols".
-configure a certificate chain.  Certificate-less operation is not
+It is simpler instead to just configure a certificate chain.
-recommended. <p>
+Certificate-less operation is not recommended. <p>
 
 <p> RSA, DSA and ECDSA (Postfix &ge; 2.6) certificates are supported.
 Most sites only have RSA certificates.  You can configure all three
@@ -891,7 +891,7 @@ after the middle of 2015; older releases only disable SSLv2 for
 mandatory TLS. The mandatory TLS protocol list is specified via the
 smtpd_tls_mandatory_protocols configuration parameter.  The
 smtpd_tls_protocols parameter (Postfix &ge; 2.6)
-controls the SSL/TLS protocols used with opportunistic TLS. </p>
+controls the TLS protocols used with opportunistic TLS. </p>
 
 <p> Note that the OpenSSL library only supports protocol exclusion
 (not inclusion). For this reason, Postfix can exclude only protocols
@@ -909,8 +909,8 @@ that TLSv1.3 be explicitly disabled. Therefore, they are not
 recommended, it is better and simpler to just configure a suitable
 certificate. </p>
 
-<p> Example, MSA that requires TLSv1 or higher, not SSLv2 or SSLv3,
+<p> Example, MSA that requires TLSv1.2 or higher, with high grade
-with high grade ciphers: </p>
+ciphers: </p>
 
 <blockquote>
 <pre>
@@ -920,10 +920,10 @@ with high grade ciphers: </p>
     smtpd_tls_mandatory_ciphers = high
     smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
     smtpd_tls_security_level = encrypt
-    # Preferred syntax with Postfix &ge; 2.5:
+    # Preferred syntax with Postfix &ge; 3.6:
-    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+    smtpd_tls_mandatory_protocols = &gt;=TLSv1.2
     # Legacy syntax:
-    smtpd_tls_mandatory_protocols = TLSv1
+    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 </pre>
 </blockquote>
 
@@ -1263,9 +1263,10 @@ just in case the transport table entries are not specified consistently. </p>
     submission      587/tcp         msa             # mail message submission
 
 /etc/postfix/tls_policy:
-    [example.net]:587 encrypt protocols=TLSv1 ciphers=high
+    # Postfix &ge; 3.6 "protocols" syntax
-    [example.net]:msa encrypt protocols=TLSv1 ciphers=high
+    [example.net]:587 encrypt protocols=&gt;=TLSv1.2 ciphers=high
-    [example.net]:submission encrypt protocols=TLSv1 ciphers=high
+    # Legacy "protocols" syntax
+    [example.net]:msa encrypt protocols=!SSLv2:!SSLv3 ciphers=high
 </pre>
 </blockquote>
 
@@ -2398,8 +2399,10 @@ Example:
     [thumb.example.org]         fingerprint
 	match=b6:b4:72:34:e2:59:cd:fb:...:0d:4d:cc:2c:7d:84:de:e6:2f
 	match=51:e9:af:2e:1e:40:1f:de:...:35:2d:09:16:31:5a:eb:82:76
-    # Postfix 2.6 and later
+    # Postfix &ge; 3.6 "protocols" syntax
-    example.info            may protocols=!SSLv2 ciphers=medium exclude=3DES
+    example.info            may protocols=&gt;=TLSv1 ciphers=medium exclude=3DES
+    # Legacy protocols syntax
+    example.info            may protocols=!SSLv2:!SSLv3 ciphers=medium exclude=3DES
 </pre>
 </blockquote>
 
@@ -2494,7 +2497,7 @@ SMTP client will by default disable SSLv2 and SSLv3. The mandatory
 TLS protocol list is specified via the
 smtp_tls_mandatory_protocols configuration parameter.  The corresponding
 smtp_tls_protocols parameter (Postfix &ge; 2.6) controls
-the SSL/TLS protocols used with opportunistic TLS. </p>
+the TLS protocols used with opportunistic TLS. </p>
 
 <p> Example: </p>
  
@@ -2504,13 +2507,13 @@ the SSL/TLS protocols used with opportunistic TLS. </p>
     smtp_tls_mandatory_ciphers = medium
     smtp_tls_mandatory_exclude_ciphers = RC4, MD5
     smtp_tls_exclude_ciphers = aNULL
-    # Preferred form with Postfix &ge; 2.5:
-    smtp_tls_mandatory_protocols = !SSLv2
-    # Legacy form for Postfix &lt; 2.5:
-    smtp_tls_mandatory_protocols = SSLv3, TLSv1
-    # Also available with Postfix &ge; 2.6:
     smtp_tls_ciphers = medium
-    smtp_tls_protocols = !SSLv2
+    # Preferred form with Postfix &ge; 3.6:
+    smtp_tls_mandatory_protocols = &gt;=TLSv1.2
+    smtp_tls_protocols = &gt;=TLSv1
+    # Legacy form for Postfix &lt; 3.6:
+    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+    smtp_tls_protocols = !SSLv2,!SSLv3
 </pre>
 </blockquote>
 

postfix/proto/postconf.proto

@@ -11299,74 +11299,92 @@ configurations in environments where DNS security is not assured. </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
-%PARAM smtp_tls_mandatory_protocols !SSLv2, !SSLv3
+%PARAM smtp_tls_mandatory_protocols see "postconf -d" output
 
-<p> List of SSL/TLS protocols that the Postfix SMTP client will use with
+<p> TLS protocols that the Postfix SMTP client will use with mandatory
-mandatory TLS encryption.  In main.cf the values are separated by
+TLS encryption.  In main.cf the values are separated by whitespace,
-whitespace, commas or colons. In the policy table "protocols" attribute
+commas or colons. In the policy table "protocols" attribute (see
-(see smtp_tls_policy_maps) the only valid separator is colon. An
+smtp_tls_policy_maps) the only valid separator is colon. An empty value
-empty value means allow all protocols. The valid protocol names, (see
+means allow all protocols. </p>
-<b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and "TLSv1". The
-default value is "!SSLv2, !SSLv3" for Postfix releases after the
-middle of 2015, "!SSLv2" for older releases. </p>
 
-<p> With Postfix &ge; 2.5 the parameter syntax was expanded to support
+<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
-protocol exclusions. One can explicitly exclude "SSLv2" by setting
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-"smtp_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
+Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
-"SSLv3" set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
+the lowest supported TLS protocol version (see below).  Older releases
-the protocols to include, rather than protocols to exclude, is
+use the "!" exclusion syntax, also described below.  </p>
-supported, but not recommended. The exclusion form more closely
-matches the underlying OpenSSL interface semantics.
-</p>
 
-<p> The range of protocols advertised by an SSL/TLS client must be
+<p> As of Postfix 3.6, the preferred way to limit the range of
-contiguous.  When a protocol version is enabled, disabling any
+acceptable protocols is to set a lowest acceptable TLS protocol version
-higher version implicitly disables all versions above that higher version.
+and/or a highest acceptable TLS protocol version.  To set the lower
-Thus, for example (assuming the OpenSSL library supports both SSLv2
+bound include an element of the form: "&gt;=<i>version</i>" where
-and SSLv3):
+<i>version</i> is a either one of the TLS protocol names listed above,
-</p>
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "&lt;=<i>version</i>".  There must be no whitespace between
+the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
+
+<p> Hexadecimal protocol numbers make it possible to specify protocol
+bounds for TLS versions that are known to OpenSSL, but might not be
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version. </p>
+
+<p>Hexadecimal example (Postfix &ge; 3.6):</p>
 <blockquote>
 <pre>
-smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtp_tls_mandatory_protocols = &gt;=TLSv1.2, &lt;=0305
+# Allow only TLS 1.2 and up:
+smtp_tls_mandatory_protocols = &gt;=0x0303
 </pre>
 </blockquote>
-<p> also disables any protocols version higher than TLSv1 leaving
-only "SSLv3" enabled.  </p>
 
-<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
-and "TLSv1.2". When Postfix &le; 2.5 is linked against OpenSSL 1.0.1
+version, and the protocol range is configured via protocol exclusions.
-or later, these, or any other new protocol versions, cannot be
+To require at least TLS 1.0, set "smtp_tls_mandatory_protocols = !SSLv2,
-disabled except by also disabling "TLSv1" (typically leaving just
+!SSLv3". Listing the protocols to include, rather than protocols to
-"SSLv3").  The latest patch levels of Postfix &ge; 2.6, and all
+exclude, is supported, but not recommended.  The exclusion syntax more
-versions of Postfix &ge; 2.10 can explicitly disable support for
+accurately matches the underlying OpenSSL interface.  </p>
-"TLSv1.1" or "TLSv1.2". </p>
 
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+<p> When using the exclusion syntax, take care to ensure that the range
-&ge; 3.4 (or patch releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
+of protocols supported by the Postfix SMTP client is contiguous.  When
-this can be disabled, if need be, via "!TLSv1.3". </p>
+a protocol version is enabled, disabling any higher version implicitly
+disables all versions above that higher version.  Thus, for example: </p>
 
-<p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
+<blockquote>
-<a href="TLS_README.html#client_tls_dane">dane-only</a> security
+<pre>
-levels, when usable TLSA records are obtained for the remote SMTP
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
-server, the Postfix SMTP client is obligated to include the SNI TLS
+</pre>
-extension in its SSL client hello message.  This may help the remote
+</blockquote>
-SMTP server live up to its promise to provide a certificate that
+
-matches its TLSA records.  Since TLS extensions require TLS 1.0 or
+<p> also disables any protocols version higher than TLSv1.1 leaving
-later, the Postfix SMTP client must disable "SSLv2" and "SSLv3" when
+only "TLSv1" enabled.  </p>
-SNI is required.  If you use "dane" or "dane-only" do not disable
+
-TLSv1, except perhaps via the policy table for destinations which
+<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
-you are sure will support "TLSv1.1" or "TLSv1.2".  </p>
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
+
+<p> While the vast majority of SMTP servers with DANE TLSA records now
+support at least TLS 1.2, a few still only support TLS 1.0.  If you use
+"dane" or "dane-only" it is best to not disable TLSv1, except perhaps
+via the policy table for destinations which you are sure will support
+"TLSv1.2".  </p>
 
 <p> See the documentation of the smtp_tls_policy_maps parameter and
 TLS_README for more information about security levels. </p>
 
 <p> Example: </p>
-
 <pre>
-# Preferred syntax with Postfix &ge; 2.5:
+# Preferred syntax with Postfix &ge; 3.6:
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_mandatory_protocols = &gt;=TLSv1.2, &lt;=TLSv1.3
 # Legacy syntax:
-smtp_tls_mandatory_protocols = TLSv1
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 </pre>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
@@ -11495,7 +11513,7 @@ configuration parameter. See there for details. </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
-%PARAM lmtp_tls_mandatory_protocols !SSLv2, !SSLv3
+%PARAM lmtp_tls_mandatory_protocols see postconf -d output
 
 <p> The LMTP-specific version of the smtp_tls_mandatory_protocols
 configuration parameter. See there for details. </p>
@@ -11516,43 +11534,69 @@ configuration parameter. See there for details. </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
-%PARAM smtpd_tls_mandatory_protocols !SSLv2, !SSLv3
+%PARAM smtpd_tls_mandatory_protocols see "postconf -d" output
 
-<p> The SSL/TLS protocols accepted by the Postfix SMTP server with
+<p> TLS protocols accepted by the Postfix SMTP server with mandatory TLS
-mandatory TLS encryption. If the list is empty, the server supports
+encryption.  If the list is empty, the server supports all available TLS
-all available SSL/TLS protocol versions.  A non-empty value is a
+protocol versions.  A non-empty value is a list of protocol names to
-list of protocol names separated by whitespace, commas or colons.
+include or exclude, separated by whitespace, commas or colons.  </p>
-The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and
-are not case sensitive. The default value is "!SSLv2, !SSLv3" for
-Postfix releases after the middle of 2015, "!SSLv2" for older
-releases. </p>
 
-<p> With Postfix &ge; 2.5 the parameter syntax was expanded to support
+<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
-protocol exclusions. One can explicitly exclude "SSLv2" by setting
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-"smtpd_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
+Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
-"SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
+the lowest supported TLS protocol version (see below).  Older releases
-the protocols to include, rather than protocols to exclude, is
+use the "!" exclusion syntax, also described below.  </p>
-supported, but not recommended. The exclusion form more closely
-matches the underlying OpenSSL interface semantics.  </p>
 
-<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+<p> As of Postfix 3.6, the preferred way to limit the range of
-and "TLSv1.2". When Postfix &le; 2.5 is linked against OpenSSL 1.0.1
+acceptable protocols is to set the lowest acceptable TLS protocol
-or later, these, or any other new protocol versions, cannot be
+version and/or the highest acceptable TLS protocol version.  To set the
-disabled.  The latest patch levels of Postfix &ge; 2.6, and all
+lower bound include an element of the form: "&gt;=<i>version</i>" where
-versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
+<i>version</i> is a either one of the TLS protocol names listed above,
-"TLSv1.2". </p>
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "&lt;=<i>version</i>".  There must be no whitespace between
+the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
 
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+<p> Hexadecimal protocol numbers make it possible to specify protocol
-&ge; 3.4 (or patch releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
+bounds for TLS versions that are known to OpenSSL, but might not be
-this can be disabled, if need be, via "!TLSv1.3". </p>
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version. </p>
+
+<p>Hexadecimal example (Postfix &ge; 3.6):</p>
+<blockquote>
+<pre>
+# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtpd_tls_mandatory_protocols = &gt;=TLSv1.2, &lt;=0305
+# Allow only TLS 1.2 and up:
+smtpd_tls_mandatory_protocols = &gt;=0x0303
+</pre>
+</blockquote>
+
+<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "smtpd_tls_mandatory_protocols =
+!SSLv2, !SSLv3".  Listing the protocols to include, rather than
+protocols to exclude, is supported, but not recommended.  The exclusion
+form more accurately matches the underlying OpenSSL interface.  </p>
+
+<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
 
 <p> Example: </p>
 
 <pre>
-# Preferred syntax with Postfix &ge; 2.5:
+# Preferred syntax with Postfix &ge; 3.6:
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_protocols = &gt;=TLSv1.2, &lt;=TLSv1.3
 # Legacy syntax:
-smtpd_tls_mandatory_protocols = TLSv1
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 </pre>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
@@ -11674,12 +11718,13 @@ smtp_tls_security_level = none
 <pre>
 # Opportunistic TLS.
 smtp_tls_security_level = may
-# Postfix &ge; 2.6:
 # Do not tweak opportunistic ciphers or protocol unless it is essential
 # to do so (if a security vulnerability is found in the SSL library that
 # can be mitigated by disabling a particular protocol or raising the
-# cipher grade from "export" to "low" or "medium").
+# cipher grade).
-smtp_tls_ciphers = export
+smtp_tls_ciphers = medium
+smtp_tls_protocols = &gt;=TLSv1
+# Legacy (Postfix &lt; 3.6) syntax:
 smtp_tls_protocols = !SSLv2, !SSLv3
 </pre>
 
@@ -11690,33 +11735,27 @@ smtp_tls_mandatory_ciphers = high
 </pre>
 
 <pre>
-# Mandatory TLS verification of hostname or nexthop domain.
+# Authenticated TLS 1.2 or better matching the nexthop domain or a
-smtp_tls_security_level = verify
+# subdomain.
-smtp_tls_mandatory_ciphers = high
-smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
-</pre>
-
-<pre>
-# Secure channel TLS with exact nexthop name match.
 smtp_tls_security_level = secure
-smtp_tls_mandatory_protocols = TLSv1
 smtp_tls_mandatory_ciphers = high
-smtp_tls_secure_cert_match = nexthop
+smtp_tls_mandatory_protocols = &gt;=TLSv1.2
+smtp_tls_secure_cert_match = nexthop, dot-nexthop
 </pre>
 
 <pre>
 # Certificate fingerprint verification (Postfix &ge; 2.5).
 # The CA-less "fingerprint" security level only scales to a limited
 # number of destinations. As a global default rather than a per-site
-# setting, this is practical when mail for all recipients is sent
+# setting, this is practical only when mail for all recipients is sent
 # to a central mail hub.
 relayhost = [mailhub.example.com]
 smtp_tls_security_level = fingerprint
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_mandatory_protocols = &gt;=TLSv1.2
 smtp_tls_mandatory_ciphers = high
 smtp_tls_fingerprint_cert_match = 
-    3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
+    3D:95:34:51:...:40:99:C0:C1
-    EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+    EC:3B:2D:B0:...:A3:9D:72:F6
 </pre>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
@@ -12640,95 +12679,153 @@ the hostname and IP address. The logging format is "host[address]:port".
 
 <p> This feature is available in Postfix 2.5 and later. </p>
 
-%PARAM smtp_tls_protocols !SSLv2, !SSLv3
+%PARAM smtp_tls_protocols see postconf -d output
 
-<p> List of TLS protocols that the Postfix SMTP client will exclude or
+<p> TLS protocols that the Postfix SMTP client will use with
-include with opportunistic TLS encryption. The default value is
+opportunistic TLS encryption.  In main.cf the values are separated by
-"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
+whitespace, commas or colons. In the policy table "protocols" attribute
-"!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP
+(see smtp_tls_policy_maps) the only valid separator is colon.  An empty
-client would use all protocols with opportunistic TLS. </p>
+value means allow all protocols. </p>
 
-<p> In main.cf the values are separated by whitespace, commas or
+<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
-colons. In the policy table (see smtp_tls_policy_maps) the only valid
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-separator is colon. An empty value means allow all protocols. The valid
+Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
-protocol names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3"
+the lowest supported TLS protocol version (see below).  Older releases
-and "TLSv1". </p>
+use the "!" exclusion syntax, also described below.  </p>
 
-<p> The range of protocols advertised by an SSL/TLS client must be
+<p> As of Postfix 3.6, the preferred way to limit the range of
-contiguous.  When a protocol version is enabled, disabling any
+acceptable protocols is to set the lowest acceptable TLS protocol
-higher version implicitly disables all versions above that higher version.
+version and/or the highest acceptable TLS protocol version.  To set the
-Thus, for example (assuming the OpenSSL library supports both SSLv2
+lower bound include an element of the form: "&gt;=<i>version</i>" where
-and SSLv3):
+<i>version</i> is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "&lt;=<i>version</i>".  There must be no whitespace between
+the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
+
+<p> Hexadecimal protocol numbers make it possible to specify protocol
+bounds for TLS versions that are known to OpenSSL, but might not be
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
+Leading "0" or "0x" prefixes are supported, but not required.
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version. </p>
+
+<p>Hexadecimal example (Postfix &ge; 3.6):</p>
+<blockquote>
+<pre>
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtp_tls_protocols = &gt;=TLSv1, &lt;=0305
+# Allow only TLS 1.0 and up:
+smtp_tls_protocols = &gt;=0x0301
+</pre>
+</blockquote>
+
+<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "smtp_tls_protocols = !SSLv2, !SSLv3".
+Listing the protocols to include, rather than protocols to exclude, is
+supported, but not recommended.  The exclusion form more accurately
+matches the underlying OpenSSL interface.  </p>
+
+<p> When using the exclusion syntax, take care to ensure that the range of
+protocols advertised by an SSL/TLS client is contiguous.  When a protocol
+version is enabled, disabling any higher version implicitly disables all
+versions above that higher version.  Thus, for example:
 </p>
 <blockquote>
 <pre>
-smtp_tls_protocols = !SSLv2, !TLSv1
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1
 </pre>
 </blockquote>
-<p> also disables any protocols version higher than TLSv1 leaving
+<p> also disables any protocols version higher than TLSv1.1 leaving
-only "SSLv3" enabled.  </p>
+only "TLSv1" enabled.  </p>
 
-<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
-and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
-versions of Postfix &ge; 2.10 can explicitly disable support for
+releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
-"TLSv1.1" or "TLSv1.2"</p>
-
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
-&ge; 3.4 (or patch releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
-this can be disabled, if need be, via "!TLSv1.3". </p>
-
-<p> To include a protocol list its name, to exclude it, prefix the name
-with a "!" character. To exclude SSLv2 for opportunistic TLS set
-"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
-"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, rather than protocols to exclude, is supported, but not
-recommended.  The exclusion form more closely matches the underlying
-OpenSSL interface semantics. </p>
 
 <p> Example: </p>
 <pre>
-# TLSv1 or better:
+# Preferred syntax with Postfix &ge; 3.6:
+smtp_tls_protocols = &gt;=TLSv1, &lt;=TLSv1.3
+# Legacy syntax:
 smtp_tls_protocols = !SSLv2, !SSLv3
 </pre>
 
 <p> This feature is available in Postfix 2.6 and later. </p>
 
-%PARAM smtpd_tls_protocols !SSLv2, !SSLv3
+%PARAM smtpd_tls_protocols see postconf -d output
 
-<p> List of TLS protocols that the Postfix SMTP server will exclude
+<p> TLS protocols accepted by the Postfix SMTP server with opportunistic
-or include with opportunistic TLS encryption. The default value is
+TLS encryption. If the list is empty, the server supports all available
-"!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
+TLS protocol versions.  A non-empty value is a list of protocol names to
-empty for older releases allowing all protocols to be
+include or exclude, separated by whitespace, commas or colons.  </p>
-used with opportunistic TLS.  A non-empty value is a list of protocol
-names separated by whitespace, commas or colons.  The supported
-protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case
-sensitive. </p>
 
-<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
-and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
+"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
-versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
+Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
-"TLSv1.2". </p>
+the lowest supported TLS protocol version (see below).  Older releases
+use the "!" exclusion syntax, also described below.  </p>
 
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+<p> As of Postfix 3.6, the preferred way to limit the range of
-&ge; 3.4 (or patch releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
+acceptable protocols is to set the lowest acceptable TLS protocol
-this can be disabled, if need be, via "!TLSv1.3". </p>
+version and/or the highest acceptable TLS protocol version.  To set the
+lower bound include an element of the form: "&gt;=<i>version</i>" where
+<i>version</i> is a either one of the TLS protocol names listed above,
+or a hexadecimal number corresponding to the desired TLS protocol
+version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
+bound, use "&lt;=<i>version</i>".  There must be no whitespace between
+the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
 
-<p> To include a protocol list its name, to exclude it, prefix the name
+<p> Hexadecimal protocol numbers make it possible to specify protocol
-with a "!" character. To exclude SSLv2 for opportunistic TLS set
+bounds for TLS versions that are known to OpenSSL, but might not be
-"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
+known to Postfix.  They cannot be used with the legacy exclusion syntax.
-"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
+Leading "0" or "0x" prefixes are supported, but not required.
-include, rather than protocols to exclude, is supported, but not
+Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
-recommended.  The exclusion form more closely matches the underlying
+"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
-OpenSSL interface semantics. </p>
+upper or lower bound, and a warning will be logged.  Hexadecimal
+versions should only be used when Postfix is linked with some future
+version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
+yet support a symbolic name for that protocol version. </p>
+
+<p>Hexadecimal example (Postfix &ge; 3.6):</p>
+<blockquote>
+<pre>
+# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
+# in some future version of OpenSSL (presently a warning is logged).
+smtpd_tls_protocols = &gt;=TLSv1, &lt;=0305
+# Allow only TLS 1.0 and up:
+smtpd_tls_protocols = &gt;=0x0301
+</pre>
+</blockquote>
+
+<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
+version, and the protocol range is configured via protocol exclusions.
+To require at least TLS 1.0, set "smtpd_tls_protocols = !SSLv2, !SSLv3".
+Listing the protocols to include, rather than protocols to exclude, is
+supported, but not recommended.  The exclusion form more accurately
+matches the underlying OpenSSL interface.  </p>
+
+<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
+this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
+releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
 
 <p> Example: </p>
 <pre>
+# Preferred syntax with Postfix &ge; 3.6:
+smtpd_tls_protocols = &gt;=TLSv1, &lt;=TLSv1.3
+# Legacy syntax:
 smtpd_tls_protocols = !SSLv2, !SSLv3
 </pre>
 
 <p> This feature is available in Postfix 2.6 and later. </p>
 
-%PARAM lmtp_tls_protocols !SSLv2, !SSLv3
+%PARAM lmtp_tls_protocols see postconf -d output
 
 <p> The LMTP-specific version of the smtp_tls_protocols configuration
 parameter. See there for details. </p>
@@ -12874,7 +12971,7 @@ EC algorithms have not been disabled by the vendor. </p>
 
 <p> The Postfix SMTP server security grade for ephemeral elliptic-curve
 Diffie-Hellman (EECDH) key exchange.   As of Postfix 3.6, the value of
-this parameter is always ignored, and Postfix behaves as though th
+this parameter is always ignored, and Postfix behaves as though the
 <b>auto</b> value (described below) was chosen.
 </p>
 

postfix/src/global/mail_params.h

@@ -1336,11 +1336,11 @@ extern char *var_smtpd_tls_CAfile;
 extern char *var_smtpd_tls_CApath;
 
 #define VAR_SMTPD_TLS_PROTO		"smtpd_tls_protocols"
-#define DEF_SMTPD_TLS_PROTO		"!SSLv2, !SSLv3"
+#define DEF_SMTPD_TLS_PROTO		">=TLSv1"
 extern char *var_smtpd_tls_proto;
 
 #define VAR_SMTPD_TLS_MAND_PROTO	"smtpd_tls_mandatory_protocols"
-#define DEF_SMTPD_TLS_MAND_PROTO	"!SSLv2, !SSLv3"
+#define DEF_SMTPD_TLS_MAND_PROTO	">=TLSv1"
 extern char *var_smtpd_tls_mand_proto;
 
 #define VAR_SMTPD_TLS_CIPH	"smtpd_tls_ciphers"
@@ -1571,15 +1571,15 @@ extern int var_lmtp_tls_scache_timeout;
 extern char *var_smtp_tls_policy;
 
 #define VAR_SMTP_TLS_PROTO	"smtp_tls_protocols"
-#define DEF_SMTP_TLS_PROTO	"!SSLv2, !SSLv3"
+#define DEF_SMTP_TLS_PROTO	">=TLSv1"
 #define VAR_LMTP_TLS_PROTO	"lmtp_tls_protocols"
-#define DEF_LMTP_TLS_PROTO	"!SSLv2, !SSLv3"
+#define DEF_LMTP_TLS_PROTO	">=TLSv1"
 extern char *var_smtp_tls_proto;
 
 #define VAR_SMTP_TLS_MAND_PROTO	"smtp_tls_mandatory_protocols"
-#define DEF_SMTP_TLS_MAND_PROTO	"!SSLv2, !SSLv3"
+#define DEF_SMTP_TLS_MAND_PROTO	">=TLSv1"
 #define VAR_LMTP_TLS_MAND_PROTO	"lmtp_tls_mandatory_protocols"
-#define DEF_LMTP_TLS_MAND_PROTO	"!SSLv2, !SSLv3"
+#define DEF_LMTP_TLS_MAND_PROTO	">=TLSv1"
 extern char *var_smtp_tls_mand_proto;
 
 #define VAR_SMTP_TLS_VFY_CMATCH	"smtp_tls_verify_cert_match"

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200720"
+#define MAIL_RELEASE_DATE	"20200725"
 #define MAIL_VERSION_NUMBER	"3.6"
 
 #ifdef SNAPSHOT

postfix/src/posttls-finger/posttls-finger.c

@@ -224,8 +224,8 @@
 /*	parameter \fIname\fR with \fIvalue\fR.  Possible use-cases include
 /*	overriding the values of TLS library parameters, or "myhostname" to
 /*	configure the SMTP EHLO name sent to the remote server.
-/* .IP "\fB-p \fIprotocols\fR (default: !SSLv2)"
+/* .IP "\fB-p \fIprotocols\fR (default: >=TLSv1)"
-/*	List of TLS protocols that posttls-finger will exclude or include.  See
+/*	TLS protocols that posttls-finger will exclude or include.  See
 /*	smtp_tls_mandatory_protocols for details.
 /* .IP "\fB-P \fICApath/\fR (default: none)"
 /*	The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote
@@ -1806,7 +1806,7 @@ static void parse_options(STATE *state, int argc, char *argv[])
     state->max_reconnect = 5;
     state->wrapper_mode = 0;
 #ifdef USE_TLS
-    state->protocols = mystrdup("!SSLv2");
+    state->protocols = mystrdup(">=TLSv1");
     state->grade = mystrdup("medium");
 #endif
     memset((void *) &state->options, 0, sizeof(state->options));

postfix/src/smtp/smtp.c

@@ -448,9 +448,9 @@
 /*	Optional lookup tables with the Postfix SMTP client TLS security
 /*	policy by next-hop destination; when a non-empty value is specified,
 /*	this overrides the obsolete smtp_tls_per_site parameter.
-/* .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR"
+/* .IP "\fBsmtp_tls_mandatory_protocols (see 'postconf -d' output)\fR"
-/*	List of SSL/TLS protocols that the Postfix SMTP client will use with
+/*	TLS protocols that the Postfix SMTP client will use with mandatory
-/*	mandatory TLS encryption.
+/*	TLS encryption.
 /* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
 /*	The verification depth for remote SMTP server certificates.
 /* .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR"
@@ -498,9 +498,9 @@
 /*	certificate fingerprints.
 /* .PP
 /*	Available in Postfix version 2.6 and later:
-/* .IP "\fBsmtp_tls_protocols (!SSLv2, !SSLv3)\fR"
+/* .IP "\fBsmtp_tls_protocols (see postconf -d output)\fR"
-/*	List of TLS protocols that the Postfix SMTP client will exclude or
+/*	TLS protocols that the Postfix SMTP client will use with
-/*	include with opportunistic TLS encryption.
+/*	opportunistic TLS encryption.
 /* .IP "\fBsmtp_tls_ciphers (medium)\fR"
 /*	The minimum TLS cipher grade that the Postfix SMTP client
 /*	will use with opportunistic TLS encryption.

postfix/src/smtpd/smtpd.c

@@ -405,9 +405,9 @@
 /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
 /*	Additional list of ciphers or cipher types to exclude from the
 /*	Postfix SMTP server cipher list at mandatory TLS security levels.
-/* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR"
+/* .IP "\fBsmtpd_tls_mandatory_protocols (see 'postconf -d' output)\fR"
-/*	The SSL/TLS protocols accepted by the Postfix SMTP server with
+/*	TLS protocols accepted by the Postfix SMTP server with mandatory TLS
-/*	mandatory TLS encryption.
+/*	encryption.
 /* .IP "\fBsmtpd_tls_received_header (no)\fR"
 /*	Request that the Postfix SMTP server produces Received:  message
 /*	headers that include information about the protocol and cipher used,
@@ -442,9 +442,9 @@
 /*	\fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR.
 /* .PP
 /*	Available in Postfix version 2.6 and later:
-/* .IP "\fBsmtpd_tls_protocols (!SSLv2, !SSLv3)\fR"
+/* .IP "\fBsmtpd_tls_protocols (see postconf -d output)\fR"
-/*	List of TLS protocols that the Postfix SMTP server will exclude
+/*	TLS protocols accepted by the Postfix SMTP server with opportunistic
-/*	or include with opportunistic TLS encryption.
+/*	TLS encryption.
 /* .IP "\fBsmtpd_tls_ciphers (medium)\fR"
 /*	The minimum TLS cipher grade that the Postfix SMTP server
 /*	will use with opportunistic TLS encryption.

postfix/src/tls/tls.h

@@ -385,7 +385,7 @@ extern void tls_param_init(void);
 #define TLS_SSL_OP_MANAGED_BITS \
 	(SSL_OP_CIPHER_SERVER_PREFERENCE | TLS_SSL_OP_PROTOMASK(~0))
 
-extern int tls_protocol_mask(const char *);
+extern int tls_proto_mask_lims(const char *, int *, int *);
 
  /*
   * Cipher grade selection.
@@ -631,7 +631,7 @@ extern char *tls_digest_encode(const unsigned char *, int);
 extern char *tls_cert_fprint(X509 *, const char *);
 extern char *tls_pkey_fprint(X509 *, const char *);
 extern char *tls_serverid_digest(TLS_SESS_STATE *,
-		        const TLS_CLIENT_START_PROPS *, long, const char *);
+		              const TLS_CLIENT_START_PROPS *, const char *);
 
  /*
   * tls_certkey.c

postfix/src/tls/tls_client.c

@@ -865,6 +865,8 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
 {
     int     sts;
     int     protomask;
+    int     min_proto;
+    int     max_proto;
     const char *cipher_list;
     SSL_SESSION *session = 0;
     TLS_SESS_STATE *TLScontext;
@@ -888,7 +890,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
      * Per-session protocol restrictions must be applied to the SSL connection,
      * as restrictions in the global context cannot be cleared.
      */
-    protomask = tls_protocol_mask(props->protocols);
+    protomask = tls_proto_mask_lims(props->protocols, &min_proto, &max_proto);
     if (protomask == TLS_PROTOCOL_INVALID) {
 	/* tls_protocol_mask() logs no warning. */
 	msg_warn("%s: Invalid TLS protocol list \"%s\": aborting TLS session",
@@ -956,12 +958,24 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
 	tls_free_context(TLScontext);
 	return (0);
     }
+#define CARP_VERSION(which) do { \
+        if (which##_proto != 0) \
+            msg_warn("%s: error setting %simum TLS version to: 0x%04x", \
+                     TLScontext->namaddr, #which, which##_proto); \
+        else \
+            msg_warn("%s: error clearing %simum TLS version", \
+                     TLScontext->namaddr, #which); \
+    } while (0)
 
     /*
      * Apply session protocol restrictions.
      */
     if (protomask != 0)
 	SSL_set_options(TLScontext->con, TLS_SSL_OP_PROTOMASK(protomask));
+    if (!SSL_set_min_proto_version(TLScontext->con, min_proto))
+	CARP_VERSION(min);
+    if (!SSL_set_max_proto_version(TLScontext->con, max_proto))
+	CARP_VERSION(max);
 
     /*
      * When applicable, configure DNS-based or synthetic (fingerprint or
@@ -1038,7 +1052,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
      * parameters and append it to the serverid.
      */
     TLScontext->serverid =
-	tls_serverid_digest(TLScontext, props, protomask, cipher_list);
+	tls_serverid_digest(TLScontext, props, cipher_list);
 
     /*
      * When authenticating the peer, use 80-bit plus OpenSSL security level

postfix/src/tls/tls_fprint.c

@@ -6,10 +6,9 @@
 /* SYNOPSIS
 /*	#include <tls.h>
 /*
-/*	char	*tls_serverid_digest(TLScontext, props, protomask, ciphers)
+/*	char	*tls_serverid_digest(TLScontext, props, ciphers)
 /*	TLS_SESS_STATE *TLScontext;
 /*	const TLS_CLIENT_START_PROPS *props;
-/*	long	protomask;
 /*	const char *ciphers;
 /*
 /*	char	*tls_digest_encode(md_buf, md_len)
@@ -187,7 +186,7 @@ static int tls_digest_tlsa(EVP_MD_CTX *mdctx, TLS_TLSA *tlsa)
 
 char   *tls_serverid_digest(TLS_SESS_STATE *TLScontext,
 			            const TLS_CLIENT_START_PROPS *props,
-			            long protomask, const char *ciphers)
+			            const char *ciphers)
 {
     EVP_MD_CTX *mdctx;
     const EVP_MD *md;
@@ -219,7 +218,7 @@ char   *tls_serverid_digest(TLS_SESS_STATE *TLScontext,
     checkok(EVP_DigestInit_ex(mdctx, md, NULL));
     digest_string(props->helo ? props->helo : "");
     digest_object(&sslversion);
-    digest_object(&protomask);
+    digest_string(props->protocols);
     digest_string(ciphers);
 
     /*

postfix/src/tls/tls_misc.c

@@ -69,8 +69,10 @@
 /*
 /*	void	tls_param_init()
 /*
-/*	int	tls_protocol_mask(plist)
+/*	int	tls_proto_mask_lims(plist, floor, ceiling)
 /*	const char *plist;
+/*	int	*floor;
+/*	int	*ceiling;
 /*
 /*	int	tls_cipher_grade(name)
 /*	const char *name;
@@ -157,10 +159,12 @@
 /*	entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
 /*	for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
 /*
-/*	tls_protocol_mask() returns a bitmask of excluded protocols, given
+/*	tls_proto_mask_lims() returns a bitmask of excluded protocols, and
-/*	a list (plist) of protocols to include or (preceded by a '!') exclude.
+/*	and the protocol version floor/ceiling, given a list (plist) of
-/*	If "plist" contains invalid protocol names, TLS_PROTOCOL_INVALID is
+/*	protocols to include or (preceded by a '!') exclude, or constraints
-/*	returned and no warning is logged.
+/*	of the form '>=name', '<=name', '>=hexvalue', '<=hexvalue'. If "plist"
+/*	contains invalid protocol names, TLS_PROTOCOL_INVALID is returned and
+/*	no warning is logged.
 /*
 /*	tls_cipher_grade() converts a case-insensitive cipher grade
 /*	name (high, medium, low, export, null) to the corresponding
@@ -315,6 +319,19 @@ static const NAME_CODE protocol_table[] = {
     0, TLS_PROTOCOL_INVALID,
 };
 
+/*
+ * Protocol name => numeric version, for MinProtocol and MaxProtocol
+ */
+static const NAME_CODE tls_version_table[] = {
+    "None", 0,
+    SSL_TXT_SSLV3, SSL3_VERSION,
+    SSL_TXT_TLSV1, TLS1_VERSION,
+    SSL_TXT_TLSV1_1, TLS1_1_VERSION,
+    SSL_TXT_TLSV1_2, TLS1_2_VERSION,
+    TLS_PROTOCOL_TXT_TLSV1_3, TLS1_3_VERSION,
+    0, -1,
+};
+
  /*
   * SSL_OP_MUMBLE bug work-around name <=> mask conversion.
   */
@@ -551,9 +568,32 @@ void    tls_update_app_logmask(TLS_APPL_STATE *app_ctx, int log_mask)
     app_ctx->log_mask = log_mask;
 }
 
-/* tls_protocol_mask - Bitmask of protocols to exclude */
+/* parse_version - parse TLS protocol version name or hex number */
 
-int     tls_protocol_mask(const char *plist)
+static int parse_tls_version(const char *tok, int *version)
+{
+    int     code = name_code(tls_version_table, NAME_CODE_FLAG_NONE, tok);
+    char   *_end;
+    unsigned long ulval;
+
+    if (code != -1) {
+	*version = code;
+	return (0);
+    }
+    errno = 0;
+    ulval = strtoul(tok, &_end, 16);
+    if (*_end != 0
+	|| (ulval == ULONG_MAX && errno == ERANGE)
+	|| ulval > INT_MAX)
+	return TLS_PROTOCOL_INVALID;
+
+    *version = (int) ulval;
+    return (0);
+}
+
+/* tls_proto_mask_lims - protocols to exclude and floor/ceiling */
+
+int     tls_proto_mask_lims(const char *plist, int *floor, int *ceiling)
 {
     char   *save;
     char   *tok;
@@ -567,9 +607,15 @@ int     tls_protocol_mask(const char *plist)
 	return (res); \
     } while (0)
 
+    *floor = *ceiling = 0;
+
     save = cp = mystrdup(plist);
     while ((tok = mystrtok(&cp, CHARS_COMMA_SP ":")) != 0) {
-	if (*tok == '!')
+	if (strncmp(tok, ">=", 2) == 0)
+	    code = parse_tls_version(tok + 2, floor);
+	else if (strncmp(tok, "<=", 2) == 0)
+	    code = parse_tls_version(tok + 2, ceiling);
+	else if (*tok == '!')
 	    exclude |= code =
 		name_code(protocol_table, NAME_CODE_FLAG_NONE, ++tok);
 	else

postfix/src/tls/tls_server.c

@@ -342,6 +342,8 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
     int     scache_timeout;
     int     ticketable = 0;
     int     protomask;
+    int     min_proto;
+    int     max_proto;
     TLS_APPL_STATE *app_ctx;
     int     log_mask;
 
@@ -366,7 +368,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
     /*
      * First validate the protocols. If these are invalid, we can't continue.
      */
-    protomask = tls_protocol_mask(props->protocols);
+    protomask = tls_proto_mask_lims(props->protocols, &min_proto, &max_proto);
     if (protomask == TLS_PROTOCOL_INVALID) {
 	/* tls_protocol_mask() logs no warning. */
 	msg_warn("Invalid TLS protocol list \"%s\": disabling TLS support",
@@ -514,6 +516,10 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
      */
     if (protomask != 0)
 	SSL_CTX_set_options(server_ctx, TLS_SSL_OP_PROTOMASK(protomask));
+    SSL_CTX_set_min_proto_version(server_ctx, min_proto);
+    SSL_CTX_set_max_proto_version(server_ctx, max_proto);
+    SSL_CTX_set_min_proto_version(sni_ctx, min_proto);
+    SSL_CTX_set_max_proto_version(sni_ctx, max_proto);
 
     /*
      * Some sites may want to give the client less rope. On the other hand,