The range of protocols advertised by an SSL/TLS client must be contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher -version. Thus, for example:
+higher version implicitly disables all versions above that higher version. +Thus, for example (assuming the OpenSSL library supports both SSLv2 +and SSLv3): +smtp_tls_mandatory_protocols = !SSLv2, !TLSv1 @@ -11238,6 +11240,9 @@ disabled except by also disabling "TLSv1" (typically leaving just versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2". +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +this can be disabled, if need be, via "!TLSv1.3".
+At the dane and dane-only security levels, when usable TLSA records are obtained for the remote SMTP @@ -11435,6 +11440,9 @@ disabled. The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +this can be disabled, if need be, via "!TLSv1.3".
+Example:
@@ -12576,11 +12584,13 @@ and "TLSv1".The range of protocols advertised by an SSL/TLS client must be contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher -version. Thus, for example:
+higher version implicitly disables all versions above that higher version. +Thus, for example (assuming the OpenSSL library supports both SSLv2 +and SSLv3): +-smtp_tls_mandatory_protocols = !SSLv2, !TLSv1 +smtp_tls_protocols = !SSLv2, !TLSv1also disables any protocols version higher than TLSv1 leaving @@ -12591,6 +12601,9 @@ and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2"
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +this can be disabled, if need be, via "!TLSv1.3".
+To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set @@ -12623,6 +12636,9 @@ and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +this can be disabled, if need be, via "!TLSv1.3".
+To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index e83ff091d..9c7561828 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -377,10 +377,14 @@ extern void tls_param_init(void); #define SSL_OP_NO_TLSv1_2 0L /* Noop */ #endif -#ifdef SSL_TXT_TLSV1_3 + /* + * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our own. + */ +#define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3" + +#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3) #define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */ #else -#define SSL_TXT_TLSV1_3 "TLSv1.3" #define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */ #undef SSL_OP_NO_TLSv1_3 #define SSL_OP_NO_TLSv1_3 0L /* Noop */ @@ -388,7 +392,7 @@ extern void tls_param_init(void); #define TLS_KNOWN_PROTOCOLS \ ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ - | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 ) + | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 ) #define TLS_SSL_OP_PROTOMASK(m) \ ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \ | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \ diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index 6db2e777b..00f71cc85 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -279,7 +279,7 @@ static const NAME_CODE protocol_table[] = { SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1, SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1, SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2, - SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3, + TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3, 0, TLS_PROTOCOL_INVALID, };