mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 05:38:06 +00:00
Code Issues Releases Wiki Activity

postfix-2.8.10

Browse Source
This commit is contained in:
Wietse Venema 2012-04-24 00:00:00 -05:00 committed by Viktor Dukhovni
parent f42575b3c9
commit c1b6673d0a
24 changed files with 288 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
postfix/HISTORY
View File

@ -16766,3 +16766,18 @@ Apologies for any names omitted.
Cleanup: missing #include statement for bugfix code added Cleanup: missing #include statement for bugfix code added
20111226. File: local/unknown.c. 20111226. File: local/unknown.c.
20120401
Bitrot: shut up useless warnings about Cyrus SASL call-back
function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h,
xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c.
20120422
Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the
known TLS protocol list so that protocols can be turned off
selectively to work around implementation bugs. Based on
a patch by Victor Duchovni. Files: proto/TLS_README.html,
proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c,
tls/tls_server.c.

48
postfix/README_FILES/TLS_README
View File

@ -542,11 +542,17 @@ The "smtpd_tls_ciphers" configuration parameter (Postfix >= 2.6) provides
control over the minimum cipher grade for opportunistic TLS. With Postfix < control over the minimum cipher grade for opportunistic TLS. With Postfix <
2.6, the minimum opportunistic TLS cipher grade is always "export". 2.6, the minimum opportunistic TLS cipher grade is always "export".
With mandatory TLS encryption, the Postfix SMTP server will by default only use With mandatory TLS encryption, the Postfix SMTP server will by default disable
SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols protocol list is specified via the smtpd_tls_mandatory_protocols configuration
configuration parameter. The corresponding smtpd_tls_protocols parameter parameter. The corresponding smtpd_tls_protocols parameter (Postfix >= 2.6)
(Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS. controls the SSL/TLS protocols used with opportunistic TLS.
Note that the OpenSSL library only supports protocol exclusion (not inclusion).
For this reason, Postfix can exclude only protocols that are known at the time
the Postfix software is written. If new protocols are added to the OpenSSL
library, they cannot be excluded without corresponding changes to the Postfix
source code.
For a server that is not a public Internet MX host, Postfix (>= 2.3) supports For a server that is not a public Internet MX host, Postfix (>= 2.3) supports
configurations with no server certificates that use oonnllyy the anonymous ciphers. configurations with no server certificates that use oonnllyy the anonymous ciphers.
@ -561,9 +567,10 @@ Example, MSA that requires TLSv1, not SSLv2 or SSLv3, with high grade ciphers:
smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_security_level = encrypt smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_protocols = TLSv1 # Preferred form with Postfix >= 2.5:
# Also available with Postfix >= 2.5:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Alternative form.
smtpd_tls_mandatory_protocols = TLSv1
If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH) If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH)
key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead
@ -594,9 +601,9 @@ Examples:
smtpd_tls_eecdh_grade = strong smtpd_tls_eecdh_grade = strong
Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS
servers to preempt the TLS client's cipher preference list. This is only servers to preempt the TLS client's cipher preference list. This is possible
possible with SSLv3, as in SSLv2 the client chooses the cipher from a list only with SSLv3 and later, as in SSLv2 the client chooses the cipher from a
supplied by the server. list supplied by the server.
By default, the OpenSSL server selects the client's most preferred cipher that By default, the OpenSSL server selects the client's most preferred cipher that
the server supports. With SSLv3 and later, the server may choose its own most the server supports. With SSLv3 and later, the server may choose its own most
@ -1048,9 +1055,9 @@ policy settings.
Examples: Examples:
In the example below, traffic to example.com and its sub-domains via the In the example below, traffic to example.com and its sub-domains via the
corresponding MX hosts always uses TLS. The protocol version will be "SSLv3" or corresponding MX hosts always uses TLS. The SSLv2 protocol will be disabled
"TLSv1" (the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). (the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). Only
Only high or medium strength (i.e. 128 bit or better) ciphers will be used by high- or medium-strength (i.e. 128 bit or better) ciphers will be used by
default for all "encrypt" security level sessions. default for all "encrypt" security level sessions.
/etc/postfix/main.cf: /etc/postfix/main.cf:
@ -1714,11 +1721,11 @@ The "smtp_tls_ciphers" configuration parameter (Postfix >= 2.6) provides
control over the minimum cipher grade for opportunistic TLS. With Postfix < control over the minimum cipher grade for opportunistic TLS. With Postfix <
2.6, the minimum opportunistic TLS cipher grade is always "export". 2.6, the minimum opportunistic TLS cipher grade is always "export".
With mandatory TLS encryption, the Postfix SMTP client will by default only use With mandatory TLS encryption, the Postfix SMTP client will by default disable
SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols protocol list is specified via the smtp_tls_mandatory_protocols configuration
configuration parameter. The corresponding smtp_tls_protocols parameter parameter. The corresponding smtp_tls_protocols parameter (Postfix >= 2.6)
(Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS. controls the SSL/TLS protocols used with opportunistic TLS.
Example: Example:
@ -1726,9 +1733,10 @@ Example:
smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_mandatory_exclude_ciphers = RC4, MD5
smtp_tls_exclude_ciphers = aNULL smtp_tls_exclude_ciphers = aNULL
smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Preferred form with Postfix >= 2.5:
# Also available with Postfix >= 2.5:
smtp_tls_mandatory_protocols = !SSLv2 smtp_tls_mandatory_protocols = !SSLv2
# Alternative form.
smtp_tls_mandatory_protocols = SSLv3, TLSv1
# Also available with Postfix >= 2.6: # Also available with Postfix >= 2.6:
smtp_tls_ciphers = export smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2 smtp_tls_protocols = !SSLv2

37
postfix/RELEASE_NOTES
View File

@ -11,6 +11,43 @@ instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd) The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release. specifies the release date of a stable release or snapshot release.
Major changes with Postfix 2.8.10
---------------------------------
This release adds support to turn off the TLSv1.1 and TLSv1.2
protocols. Introduced with OpenSSL version 1.0.1, these are known
to cause inter-operability problems with for example hotmail.
The radical workaround is to temporarily turn off problematic
protocols globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic
protocols for broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
Important:
- Note the use of ":" instead of comma or space. Also, note that
there is NO space around the "=" in "protocols=".
- The smtp_tls_policy_maps lookup key must match the "next-hop"
destination that is given to the Postfix SMTP client. If you
override the next-hop destination with transport_maps, relayhost,
sender_dependent_relayhost_maps, or otherwise, you need to specify
the same destination for the smtp_tls_policy_maps lookup key.
Incompatible changes with Postfix 2.8.2 Incompatible changes with Postfix 2.8.2
--------------------------------------- ---------------------------------------

30
postfix/html/TLS_README.html
View File

@ -790,12 +790,18 @@ Postfix &lt; 2.6, the minimum opportunistic TLS cipher grade is always
"export". </p> "export". </p>
<p> With mandatory TLS encryption, the Postfix SMTP server will by <p> With mandatory TLS encryption, the Postfix SMTP server will by
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the is optional. The mandatory TLS protocol list is specified via the
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> configuration parameter. The <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> configuration parameter. The
corresponding <a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> parameter (Postfix &ge; 2.6) corresponding <a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> parameter (Postfix &ge; 2.6)
controls the SSL/TLS protocols used with opportunistic TLS. </p> controls the SSL/TLS protocols used with opportunistic TLS. </p>
<p> Note that the OpenSSL library only supports protocol exclusion
(not inclusion). For this reason, Postfix can exclude only protocols
that are known at the time the Postfix software is written. If new
protocols are added to the OpenSSL library, they cannot be excluded
without corresponding changes to the Postfix source code. </p>
<p> For a server that is not a public Internet MX host, Postfix (&ge; 2.3) <p> For a server that is not a public Internet MX host, Postfix (&ge; 2.3)
supports configurations with no <a href="#server_cert_key">server supports configurations with no <a href="#server_cert_key">server
certificates</a> that use <b>only</b> the anonymous ciphers. This is certificates</a> that use <b>only</b> the anonymous ciphers. This is
@ -813,9 +819,10 @@ ciphers: </p>
<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> = high <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> = high
<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL, MD5 <a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL, MD5
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = TLSv1 # Preferred form with Postfix &ge; 2.5:
# Also available with Postfix &ge; 2.5:
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3 <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
# Alternative form.
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = TLSv1
</pre> </pre>
</blockquote> </blockquote>
@ -859,8 +866,8 @@ secure for most situations. </p>
<p> Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later <p> Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later
allows TLS servers to preempt the TLS client's cipher preference list. allows TLS servers to preempt the TLS client's cipher preference list.
This is only possible with SSLv3, as in SSLv2 the client chooses the This is possible only with SSLv3 and later, as in SSLv2 the client
cipher from a list supplied by the server. </p> chooses the cipher from a list supplied by the server. </p>
<p> By default, the OpenSSL server selects the client's most preferred <p> By default, the OpenSSL server selects the client's most preferred
cipher that the server supports. With SSLv3 and later, the server cipher that the server supports. With SSLv3 and later, the server
@ -1455,9 +1462,9 @@ should use the new TLS policy settings. </p>
<p> Examples: </p> <p> Examples: </p>
<p> In the example below, traffic to <i>example.com</i> and its sub-domains <p> In the example below, traffic to <i>example.com</i> and its sub-domains
via the corresponding MX hosts always uses TLS. The protocol version will be via the corresponding MX hosts always uses TLS. The SSLv2 protocol
"SSLv3" or "TLSv1" (the default setting of <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> will be disabled (the default setting of <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or
better) ciphers will be used by default for all "encrypt" security better) ciphers will be used by default for all "encrypt" security
level sessions. </p> level sessions. </p>
@ -2306,7 +2313,7 @@ Postfix &lt; 2.6, the minimum opportunistic TLS cipher grade is always
"export". </p> "export". </p>
<p> With mandatory TLS encryption, the Postfix SMTP client will by <p> With mandatory TLS encryption, the Postfix SMTP client will by
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the is optional. The mandatory TLS protocol list is specified via the
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> configuration parameter. The corresponding <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> configuration parameter. The corresponding
<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> parameter (Postfix &ge; 2.6) controls <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> parameter (Postfix &ge; 2.6) controls
@ -2320,9 +2327,10 @@ the SSL/TLS protocols used with opportunistic TLS. </p>
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = medium <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = medium
<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> = RC4, MD5 <a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> = RC4, MD5
<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = aNULL <a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = aNULL
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = SSLv3, TLSv1 # Preferred form with Postfix &ge; 2.5:
# Also available with Postfix &ge; 2.5:
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2 <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2
# Alternative form.
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = SSLv3, TLSv1
# Also available with Postfix &ge; 2.6: # Also available with Postfix &ge; 2.6:
<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = export <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = export
<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2 <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2

2
postfix/html/lmtp.8.html
View File

@ -455,7 +455,7 @@ SMTP(8) SMTP(8)
non-empty value is specified, this overrides the non-empty value is specified, this overrides the
obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
<b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b>
List of SSL/TLS protocols that the Postfix SMTP List of SSL/TLS protocols that the Postfix SMTP
client will use with mandatory TLS encryption. client will use with mandatory TLS encryption.

57
postfix/html/postconf.5.html
View File

@ -4582,7 +4582,7 @@ configuration parameter. See there for details. </p>
</DD> </DD>
<DT><b><a name="lmtp_tls_mandatory_protocols">lmtp_tls_mandatory_protocols</a> <DT><b><a name="lmtp_tls_mandatory_protocols">lmtp_tls_mandatory_protocols</a>
(default: SSLv3, TLSv1)</b></DT><DD> (default: !SSLv2)</b></DT><DD>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
configuration parameter. See there for details. </p> configuration parameter. See there for details. </p>
@ -10692,7 +10692,7 @@ attribute. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_ma
</DD> </DD>
<DT><b><a name="smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> <DT><b><a name="smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
(default: SSLv3, TLSv1)</b></DT><DD> (default: !SSLv2)</b></DT><DD>
<p> List of SSL/TLS protocols that the Postfix SMTP client will use with <p> List of SSL/TLS protocols that the Postfix SMTP client will use with
mandatory TLS encryption. In <a href="postconf.5.html">main.cf</a> the values are separated by mandatory TLS encryption. In <a href="postconf.5.html">main.cf</a> the values are separated by
@ -10701,12 +10701,19 @@ whitespace, commas or colons. In the policy table "protocols" attribute
empty value means allow all protocols. The valid protocol names, (see empty value means allow all protocols. The valid protocol names, (see
<b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and "TLSv1". </p> <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and "TLSv1". </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> With Postfix &ge; 2.5 the parameter syntax is expanded to support <p> With Postfix &ge; 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting protocol exclusions. One can now explicitly exclude SSLv2 by setting
"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2". To exclude both SSLv2 and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2". To exclude both SSLv2 and
SSLv3 set "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing SSLv3 set "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still the protocols to include, rather than protocols to exclude, is
supported; use the form you find more intuitive. </p> supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now <p> Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that by deprecated, the default setting excludes "SSLv2". This means that by
@ -10719,9 +10726,10 @@ and higher. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = TLSv1 # Preferred form with Postfix &ge; 2.5:
# Alternative form with Postfix &ge; 2.5:
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3 <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
# Alternative form.
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = TLSv1
</pre> </pre>
<p> This feature is available in Postfix 2.3 and later. </p> <p> This feature is available in Postfix 2.3 and later. </p>
@ -10977,14 +10985,18 @@ separator is colon. An empty value means allow all protocols. The valid
protocol names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" protocol names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3"
and "TLSv1". </p> and "TLSv1". </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> To include a protocol list its name, to exclude it, prefix the name <p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms include, rather than protocols to exclude, is supported, but not
for excluding protocols not known at compile-time. If Postfix is linked recommended. The exclusion form more closely matches the behaviour
against an OpenSSL library that supports additional protocol versions, when the OpenSSL library is newer than Postfix. </p>
they cannot be excluded using either syntax. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@ -14436,7 +14448,7 @@ works in addition to the exclusions listed with <a href="postconf.5.html#smtpd_t
</DD> </DD>
<DT><b><a name="smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> <DT><b><a name="smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>
(default: SSLv3, TLSv1)</b></DT><DD> (default: !SSLv2)</b></DT><DD>
<p> The SSL/TLS protocols accepted by the Postfix SMTP server with <p> The SSL/TLS protocols accepted by the Postfix SMTP server with
mandatory TLS encryption. If the list is empty, the server supports all mandatory TLS encryption. If the list is empty, the server supports all
@ -14445,12 +14457,19 @@ of protocol
names separated by whitespace, commas or colons. The supported protocol names separated by whitespace, commas or colons. The supported protocol
names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p> names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> With Postfix &ge; 2.5 the parameter syntax is expanded to support <p> With Postfix &ge; 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting protocol exclusions. One can now explicitly exclude SSLv2 by setting
"<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2". To exclude both SSLv2 and "<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2". To exclude both SSLv2 and
SSLv3 set "<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing SSLv3 set "<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still the protocols to include, rather than protocols to exclude, is
supported, use the form you find more intuitive. </p> supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now <p> Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that deprecated, the default setting excludes "SSLv2". This means that
@ -14484,14 +14503,18 @@ names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and
"TLSv1". In <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> table entries, "protocols" attribute "TLSv1". In <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> table entries, "protocols" attribute
values are separated by a colon. </p> values are separated by a colon. </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> To include a protocol list its name, to exclude it, prefix the name <p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to "<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms include, rather than protocols to exclude, is supported, but not
for excluding protocols not known at compile-time. If Postfix is linked recommended. The exclusion form more closely matches the behaviour
against an OpenSSL library that supports additional protocol versions, when the OpenSSL library is newer than Postfix. </p>
they cannot be excluded using either syntax. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>

2
postfix/html/smtp.8.html
View File

@ -455,7 +455,7 @@ SMTP(8) SMTP(8)
non-empty value is specified, this overrides the non-empty value is specified, this overrides the
obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
<b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b>
List of SSL/TLS protocols that the Postfix SMTP List of SSL/TLS protocols that the Postfix SMTP
client will use with mandatory TLS encryption. client will use with mandatory TLS encryption.

2
postfix/html/smtpd.8.html
View File

@ -462,7 +462,7 @@ SMTPD(8) SMTPD(8)
exclude from the SMTP server cipher list at manda- exclude from the SMTP server cipher list at manda-
tory TLS security levels. tory TLS security levels.
<b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (!SSLv2)</b>
The SSL/TLS protocols accepted by the Postfix SMTP The SSL/TLS protocols accepted by the Postfix SMTP
server with mandatory TLS encryption. server with mandatory TLS encryption.

55
postfix/man/man5/postconf.5
View File

@ -2485,7 +2485,7 @@ The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
configuration parameter. See there for details. configuration parameter. See there for details.
.PP .PP
This feature is available in Postfix 2.3 and later. This feature is available in Postfix 2.3 and later.
.SH lmtp_tls_mandatory_protocols (default: SSLv3, TLSv1) .SH lmtp_tls_mandatory_protocols (default: !SSLv2)
The LMTP-specific version of the smtp_tls_mandatory_protocols The LMTP-specific version of the smtp_tls_mandatory_protocols
configuration parameter. See there for details. configuration parameter. See there for details.
.PP .PP
@ -6359,7 +6359,7 @@ specified on a per-destination basis via the TLS policy "exclude"
attribute. See smtp_tls_policy_maps for notes and examples. attribute. See smtp_tls_policy_maps for notes and examples.
.PP .PP
This feature is available in Postfix 2.3 and later. This feature is available in Postfix 2.3 and later.
.SH smtp_tls_mandatory_protocols (default: SSLv3, TLSv1) .SH smtp_tls_mandatory_protocols (default: !SSLv2)
List of SSL/TLS protocols that the Postfix SMTP client will use with List of SSL/TLS protocols that the Postfix SMTP client will use with
mandatory TLS encryption. In main.cf the values are separated by mandatory TLS encryption. In main.cf the values are separated by
whitespace, commas or colons. In the policy table "protocols" attribute whitespace, commas or colons. In the policy table "protocols" attribute
@ -6367,12 +6367,18 @@ whitespace, commas or colons. In the policy table "protocols" attribute
empty value means allow all protocols. The valid protocol names, (see empty value means allow all protocols. The valid protocol names, (see
\\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1". \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1".
.PP .PP
Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled.
.PP
With Postfix >= 2.5 the parameter syntax is expanded to support With Postfix >= 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting protocol exclusions. One can now explicitly exclude SSLv2 by setting
"smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still the protocols to include, rather than protocols to exclude, is
supported; use the form you find more intuitive. supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
.PP .PP
Since SSL version 2 has known protocol weaknesses and is now Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that by deprecated, the default setting excludes "SSLv2". This means that by
@ -6387,9 +6393,10 @@ Example:
.nf .nf
.na .na
.ft C .ft C
smtp_tls_mandatory_protocols = TLSv1 # Preferred form with Postfix >= 2.5:
# Alternative form with Postfix >= 2.5:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
# Alternative form.
smtp_tls_mandatory_protocols = TLSv1
.fi .fi
.ad .ad
.ft R .ft R
@ -6622,14 +6629,18 @@ separator is colon. An empty value means allow all protocols. The valid
protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3"
and "TLSv1". and "TLSv1".
.PP .PP
Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled.
.PP
To include a protocol list its name, to exclude it, prefix the name To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms include, rather than protocols to exclude, is supported, but not
for excluding protocols not known at compile-time. If Postfix is linked recommended. The exclusion form more closely matches the behaviour
against an OpenSSL library that supports additional protocol versions, when the OpenSSL library is newer than Postfix.
they cannot be excluded using either syntax.
.PP .PP
Example: Example:
.nf .nf
@ -9209,7 +9220,7 @@ works in addition to the exclusions listed with smtpd_tls_exclude_ciphers
(see there for syntax details). (see there for syntax details).
.PP .PP
This feature is available in Postfix 2.3 and later. This feature is available in Postfix 2.3 and later.
.SH smtpd_tls_mandatory_protocols (default: SSLv3, TLSv1) .SH smtpd_tls_mandatory_protocols (default: !SSLv2)
The SSL/TLS protocols accepted by the Postfix SMTP server with The SSL/TLS protocols accepted by the Postfix SMTP server with
mandatory TLS encryption. If the list is empty, the server supports all mandatory TLS encryption. If the list is empty, the server supports all
available SSL/TLS protocol versions. A non-empty value is a list available SSL/TLS protocol versions. A non-empty value is a list
@ -9217,12 +9228,18 @@ of protocol
names separated by whitespace, commas or colons. The supported protocol names separated by whitespace, commas or colons. The supported protocol
names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
.PP .PP
Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled.
.PP
With Postfix >= 2.5 the parameter syntax is expanded to support With Postfix >= 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting protocol exclusions. One can now explicitly exclude SSLv2 by setting
"smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still the protocols to include, rather than protocols to exclude, is
supported, use the form you find more intuitive. supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
.PP .PP
Since SSL version 2 has known protocol weaknesses and is now Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that deprecated, the default setting excludes "SSLv2". This means that
@ -9254,14 +9271,18 @@ names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and
"TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
values are separated by a colon. values are separated by a colon.
.PP .PP
Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled.
.PP
To include a protocol list its name, to exclude it, prefix the name To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms include, rather than protocols to exclude, is supported, but not
for excluding protocols not known at compile-time. If Postfix is linked recommended. The exclusion form more closely matches the behaviour
against an OpenSSL library that supports additional protocol versions, when the OpenSSL library is newer than Postfix.
they cannot be excluded using either syntax.
.PP .PP
Example: Example:
.nf .nf

2
postfix/man/man8/smtp.8
View File

@ -378,7 +378,7 @@ when TLS is not already enabled for that server.
Optional lookup tables with the Postfix SMTP client TLS security Optional lookup tables with the Postfix SMTP client TLS security
policy by next-hop destination; when a non-empty value is specified, policy by next-hop destination; when a non-empty value is specified,
this overrides the obsolete smtp_tls_per_site parameter. this overrides the obsolete smtp_tls_per_site parameter.
.IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR" .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR"
List of SSL/TLS protocols that the Postfix SMTP client will use with List of SSL/TLS protocols that the Postfix SMTP client will use with
mandatory TLS encryption. mandatory TLS encryption.
.IP "\fBsmtp_tls_scert_verifydepth (9)\fR" .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"

2
postfix/man/man8/smtpd.8
View File

@ -389,7 +389,7 @@ use with mandatory TLS encryption.
.IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
Additional list of ciphers or cipher types to exclude from the Additional list of ciphers or cipher types to exclude from the
SMTP server cipher list at mandatory TLS security levels. SMTP server cipher list at mandatory TLS security levels.
.IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR" .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
The SSL/TLS protocols accepted by the Postfix SMTP server with The SSL/TLS protocols accepted by the Postfix SMTP server with
mandatory TLS encryption. mandatory TLS encryption.
.IP "\fBsmtpd_tls_received_header (no)\fR" .IP "\fBsmtpd_tls_received_header (no)\fR"

30
postfix/proto/TLS_README.html
View File

@ -790,12 +790,18 @@ Postfix &lt; 2.6, the minimum opportunistic TLS cipher grade is always
"export". </p> "export". </p>
<p> With mandatory TLS encryption, the Postfix SMTP server will by <p> With mandatory TLS encryption, the Postfix SMTP server will by
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the is optional. The mandatory TLS protocol list is specified via the
smtpd_tls_mandatory_protocols configuration parameter. The smtpd_tls_mandatory_protocols configuration parameter. The
corresponding smtpd_tls_protocols parameter (Postfix &ge; 2.6) corresponding smtpd_tls_protocols parameter (Postfix &ge; 2.6)
controls the SSL/TLS protocols used with opportunistic TLS. </p> controls the SSL/TLS protocols used with opportunistic TLS. </p>
<p> Note that the OpenSSL library only supports protocol exclusion
(not inclusion). For this reason, Postfix can exclude only protocols
that are known at the time the Postfix software is written. If new
protocols are added to the OpenSSL library, they cannot be excluded
without corresponding changes to the Postfix source code. </p>
<p> For a server that is not a public Internet MX host, Postfix (&ge; 2.3) <p> For a server that is not a public Internet MX host, Postfix (&ge; 2.3)
supports configurations with no <a href="#server_cert_key">server supports configurations with no <a href="#server_cert_key">server
certificates</a> that use <b>only</b> the anonymous ciphers. This is certificates</a> that use <b>only</b> the anonymous ciphers. This is
@ -813,9 +819,10 @@ ciphers: </p>
smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_security_level = encrypt smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_protocols = TLSv1 # Preferred form with Postfix &ge; 2.5:
# Also available with Postfix &ge; 2.5:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Alternative form.
smtpd_tls_mandatory_protocols = TLSv1
</pre> </pre>
</blockquote> </blockquote>
@ -859,8 +866,8 @@ secure for most situations. </p>
<p> Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later <p> Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later
allows TLS servers to preempt the TLS client's cipher preference list. allows TLS servers to preempt the TLS client's cipher preference list.
This is only possible with SSLv3, as in SSLv2 the client chooses the This is possible only with SSLv3 and later, as in SSLv2 the client
cipher from a list supplied by the server. </p> chooses the cipher from a list supplied by the server. </p>
<p> By default, the OpenSSL server selects the client's most preferred <p> By default, the OpenSSL server selects the client's most preferred
cipher that the server supports. With SSLv3 and later, the server cipher that the server supports. With SSLv3 and later, the server
@ -1455,9 +1462,9 @@ should use the new TLS policy settings. </p>
<p> Examples: </p> <p> Examples: </p>
<p> In the example below, traffic to <i>example.com</i> and its sub-domains <p> In the example below, traffic to <i>example.com</i> and its sub-domains
via the corresponding MX hosts always uses TLS. The protocol version will be via the corresponding MX hosts always uses TLS. The SSLv2 protocol
"SSLv3" or "TLSv1" (the default setting of smtp_tls_mandatory_protocols will be disabled (the default setting of smtp_tls_mandatory_protocols
excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or
better) ciphers will be used by default for all "encrypt" security better) ciphers will be used by default for all "encrypt" security
level sessions. </p> level sessions. </p>
@ -2306,7 +2313,7 @@ Postfix &lt; 2.6, the minimum opportunistic TLS cipher grade is always
"export". </p> "export". </p>
<p> With mandatory TLS encryption, the Postfix SMTP client will by <p> With mandatory TLS encryption, the Postfix SMTP client will by
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the is optional. The mandatory TLS protocol list is specified via the
smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_mandatory_protocols configuration parameter. The corresponding
smtp_tls_protocols parameter (Postfix &ge; 2.6) controls smtp_tls_protocols parameter (Postfix &ge; 2.6) controls
@ -2320,9 +2327,10 @@ the SSL/TLS protocols used with opportunistic TLS. </p>
smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_mandatory_exclude_ciphers = RC4, MD5
smtp_tls_exclude_ciphers = aNULL smtp_tls_exclude_ciphers = aNULL
smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Preferred form with Postfix &ge; 2.5:
# Also available with Postfix &ge; 2.5:
smtp_tls_mandatory_protocols = !SSLv2 smtp_tls_mandatory_protocols = !SSLv2
# Alternative form.
smtp_tls_mandatory_protocols = SSLv3, TLSv1
# Also available with Postfix &ge; 2.6: # Also available with Postfix &ge; 2.6:
smtp_tls_ciphers = export smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2 smtp_tls_protocols = !SSLv2

57
postfix/proto/postconf.proto
View File

@ -10378,7 +10378,7 @@ configurations in environments where DNS security is not assured. </p>
<p> This feature is available in Postfix 2.3 and later. </p> <p> This feature is available in Postfix 2.3 and later. </p>
%PARAM smtp_tls_mandatory_protocols SSLv3, TLSv1 %PARAM smtp_tls_mandatory_protocols !SSLv2
<p> List of SSL/TLS protocols that the Postfix SMTP client will use with <p> List of SSL/TLS protocols that the Postfix SMTP client will use with
mandatory TLS encryption. In main.cf the values are separated by mandatory TLS encryption. In main.cf the values are separated by
@ -10387,12 +10387,19 @@ whitespace, commas or colons. In the policy table "protocols" attribute
empty value means allow all protocols. The valid protocol names, (see empty value means allow all protocols. The valid protocol names, (see
<b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and "TLSv1". </p> <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and "TLSv1". </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> With Postfix &ge; 2.5 the parameter syntax is expanded to support <p> With Postfix &ge; 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting protocol exclusions. One can now explicitly exclude SSLv2 by setting
"smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still the protocols to include, rather than protocols to exclude, is
supported; use the form you find more intuitive. </p> supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now <p> Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that by deprecated, the default setting excludes "SSLv2". This means that by
@ -10405,9 +10412,10 @@ TLS_README for more information about security levels. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
smtp_tls_mandatory_protocols = TLSv1 # Preferred form with Postfix &ge; 2.5:
# Alternative form with Postfix &ge; 2.5:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
# Alternative form.
smtp_tls_mandatory_protocols = TLSv1
</pre> </pre>
<p> This feature is available in Postfix 2.3 and later. </p> <p> This feature is available in Postfix 2.3 and later. </p>
@ -10535,7 +10543,7 @@ configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.3 and later. </p> <p> This feature is available in Postfix 2.3 and later. </p>
%PARAM lmtp_tls_mandatory_protocols SSLv3, TLSv1 %PARAM lmtp_tls_mandatory_protocols !SSLv2
<p> The LMTP-specific version of the smtp_tls_mandatory_protocols <p> The LMTP-specific version of the smtp_tls_mandatory_protocols
configuration parameter. See there for details. </p> configuration parameter. See there for details. </p>
@ -10556,7 +10564,7 @@ configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.3 and later. </p> <p> This feature is available in Postfix 2.3 and later. </p>
%PARAM smtpd_tls_mandatory_protocols SSLv3, TLSv1 %PARAM smtpd_tls_mandatory_protocols !SSLv2
<p> The SSL/TLS protocols accepted by the Postfix SMTP server with <p> The SSL/TLS protocols accepted by the Postfix SMTP server with
mandatory TLS encryption. If the list is empty, the server supports all mandatory TLS encryption. If the list is empty, the server supports all
@ -10565,12 +10573,19 @@ of protocol
names separated by whitespace, commas or colons. The supported protocol names separated by whitespace, commas or colons. The supported protocol
names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p> names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> With Postfix &ge; 2.5 the parameter syntax is expanded to support <p> With Postfix &ge; 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting protocol exclusions. One can now explicitly exclude SSLv2 by setting
"smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still the protocols to include, rather than protocols to exclude, is
supported, use the form you find more intuitive. </p> supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now <p> Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that deprecated, the default setting excludes "SSLv2". This means that
@ -11579,14 +11594,18 @@ separator is colon. An empty value means allow all protocols. The valid
protocol names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" protocol names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3"
and "TLSv1". </p> and "TLSv1". </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> To include a protocol list its name, to exclude it, prefix the name <p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms include, rather than protocols to exclude, is supported, but not
for excluding protocols not known at compile-time. If Postfix is linked recommended. The exclusion form more closely matches the behaviour
against an OpenSSL library that supports additional protocol versions, when the OpenSSL library is newer than Postfix. </p>
they cannot be excluded using either syntax. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@ -11609,14 +11628,18 @@ names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and
"TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
values are separated by a colon. </p> values are separated by a colon. </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> To include a protocol list its name, to exclude it, prefix the name <p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms include, rather than protocols to exclude, is supported, but not
for excluding protocols not known at compile-time. If Postfix is linked recommended. The exclusion form more closely matches the behaviour
against an OpenSSL library that supports additional protocol versions, when the OpenSSL library is newer than Postfix. </p>
they cannot be excluded using either syntax. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>

6
postfix/src/global/mail_params.h
View File

@ -1249,7 +1249,7 @@ extern char *var_smtpd_tls_CApath;
extern char *var_smtpd_tls_proto; extern char *var_smtpd_tls_proto;
#define VAR_SMTPD_TLS_MAND_PROTO "smtpd_tls_mandatory_protocols" #define VAR_SMTPD_TLS_MAND_PROTO "smtpd_tls_mandatory_protocols"
#define DEF_SMTPD_TLS_MAND_PROTO "SSLv3, TLSv1" #define DEF_SMTPD_TLS_MAND_PROTO "!SSLv2"
extern char *var_smtpd_tls_mand_proto; extern char *var_smtpd_tls_mand_proto;
#define VAR_SMTPD_TLS_CIPH "smtpd_tls_ciphers" #define VAR_SMTPD_TLS_CIPH "smtpd_tls_ciphers"
@ -1462,9 +1462,9 @@ extern char *var_smtp_tls_policy;
extern char *var_smtp_tls_proto; extern char *var_smtp_tls_proto;
#define VAR_SMTP_TLS_MAND_PROTO "smtp_tls_mandatory_protocols" #define VAR_SMTP_TLS_MAND_PROTO "smtp_tls_mandatory_protocols"
#define DEF_SMTP_TLS_MAND_PROTO "SSLv3, TLSv1" #define DEF_SMTP_TLS_MAND_PROTO "!SSLv2"
#define VAR_LMTP_TLS_MAND_PROTO "lmtp_tls_mandatory_protocols" #define VAR_LMTP_TLS_MAND_PROTO "lmtp_tls_mandatory_protocols"
#define DEF_LMTP_TLS_MAND_PROTO "SSLv3, TLSv1" #define DEF_LMTP_TLS_MAND_PROTO "!SSLv2"
extern char *var_smtp_tls_mand_proto; extern char *var_smtp_tls_mand_proto;
#define VAR_SMTP_TLS_VFY_CMATCH "smtp_tls_verify_cert_match" #define VAR_SMTP_TLS_VFY_CMATCH "smtp_tls_verify_cert_match"

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20120302" #define MAIL_RELEASE_DATE "20120424"
#define MAIL_VERSION_NUMBER "2.8.9" #define MAIL_VERSION_NUMBER "2.8.10"
#ifdef SNAPSHOT #ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

2
postfix/src/smtp/smtp.c
View File

@ -348,7 +348,7 @@
/* Optional lookup tables with the Postfix SMTP client TLS security /* Optional lookup tables with the Postfix SMTP client TLS security
/* policy by next-hop destination; when a non-empty value is specified, /* policy by next-hop destination; when a non-empty value is specified,
/* this overrides the obsolete smtp_tls_per_site parameter. /* this overrides the obsolete smtp_tls_per_site parameter.
/* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR" /* .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR"
/* List of SSL/TLS protocols that the Postfix SMTP client will use with /* List of SSL/TLS protocols that the Postfix SMTP client will use with
/* mandatory TLS encryption. /* mandatory TLS encryption.
/* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR" /* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"

2
postfix/src/smtpd/smtpd.c
View File

@ -357,7 +357,7 @@
/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
/* Additional list of ciphers or cipher types to exclude from the /* Additional list of ciphers or cipher types to exclude from the
/* SMTP server cipher list at mandatory TLS security levels. /* SMTP server cipher list at mandatory TLS security levels.
/* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR" /* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
/* The SSL/TLS protocols accepted by the Postfix SMTP server with /* The SSL/TLS protocols accepted by the Postfix SMTP server with
/* mandatory TLS encryption. /* mandatory TLS encryption.
/* .IP "\fBsmtpd_tls_received_header (no)\fR" /* .IP "\fBsmtpd_tls_received_header (no)\fR"

13
postfix/src/tls/tls.h
View File

@ -155,8 +155,19 @@ extern void tls_param_init(void);
#define TLS_PROTOCOL_SSLv2 (1<<0) /* SSLv2 */ #define TLS_PROTOCOL_SSLv2 (1<<0) /* SSLv2 */
#define TLS_PROTOCOL_SSLv3 (1<<1) /* SSLv3 */ #define TLS_PROTOCOL_SSLv3 (1<<1) /* SSLv3 */
#define TLS_PROTOCOL_TLSv1 (1<<2) /* TLSv1 */ #define TLS_PROTOCOL_TLSv1 (1<<2) /* TLSv1 */
#ifdef SSL_TXT_TLSV1_1
#define TLS_PROTOCOL_TLSv1_1 (1<<3) /* TLSv1_1 */
#else
#define TLS_PROTOCOL_TLSv1_1 0 /* Unknown */
#endif
#ifdef SSL_TXT_TLSV1_2
#define TLS_PROTOCOL_TLSv1_2 (1<<4) /* TLSv1_2 */
#else
#define TLS_PROTOCOL_TLSv1_2 0 /* Unknown */
#endif
#define TLS_KNOWN_PROTOCOLS \ #define TLS_KNOWN_PROTOCOLS \
( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 ) ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
| TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
extern int tls_protocol_mask(const char *); extern int tls_protocol_mask(const char *);

6
postfix/src/tls/tls_client.c
View File

@ -815,6 +815,12 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
if (protomask != 0) if (protomask != 0)
SSL_set_options(TLScontext->con, SSL_set_options(TLScontext->con,
((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
#ifdef SSL_OP_NO_TLSv1_1
| ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
#endif
#ifdef SSL_OP_NO_TLSv1_2
| ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
#endif
| ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L)); | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));

6
postfix/src/tls/tls_misc.c
View File

@ -215,6 +215,12 @@ static const NAME_CODE protocol_table[] = {
SSL_TXT_SSLV2, TLS_PROTOCOL_SSLv2, SSL_TXT_SSLV2, TLS_PROTOCOL_SSLv2,
SSL_TXT_SSLV3, TLS_PROTOCOL_SSLv3, SSL_TXT_SSLV3, TLS_PROTOCOL_SSLv3,
SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1, SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
#ifdef SSL_TXT_TLSV1_1
SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
#endif
#ifdef SSL_TXT_TLSV1_2
SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
#endif
0, TLS_PROTOCOL_INVALID, 0, TLS_PROTOCOL_INVALID,
}; };

6
postfix/src/tls/tls_server.c
View File

@ -397,6 +397,12 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
if (protomask != 0) if (protomask != 0)
SSL_CTX_set_options(server_ctx, SSL_CTX_set_options(server_ctx,
((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
#ifdef SSL_OP_NO_TLSv1_1
| ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
#endif
#ifdef SSL_OP_NO_TLSv1_2
| ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
#endif
| ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L)); | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));

5
postfix/src/xsasl/xsasl_cyrus.h
View File

@ -26,6 +26,11 @@
extern XSASL_SERVER_IMPL *xsasl_cyrus_server_init(const char *, const char *); extern XSASL_SERVER_IMPL *xsasl_cyrus_server_init(const char *, const char *);
extern XSASL_CLIENT_IMPL *xsasl_cyrus_client_init(const char *, const char *); extern XSASL_CLIENT_IMPL *xsasl_cyrus_client_init(const char *, const char *);
/*
* Internal definitions for client and server module.
*/
typedef int (*XSASL_CYRUS_CB) (void);
#endif #endif
/* LICENSE /* LICENSE

8
postfix/src/xsasl/xsasl_cyrus_client.c
View File

@ -223,7 +223,7 @@ XSASL_CLIENT_IMPL *xsasl_cyrus_client_init(const char *unused_client_type,
* Global callbacks. These have no per-session context. * Global callbacks. These have no per-session context.
*/ */
static sasl_callback_t callbacks[] = { static sasl_callback_t callbacks[] = {
{SASL_CB_LOG, &xsasl_cyrus_log, 0}, {SASL_CB_LOG, (XSASL_CYRUS_CB) &xsasl_cyrus_log, 0},
{SASL_CB_LIST_END, 0, 0} {SASL_CB_LIST_END, 0, 0}
}; };
@ -302,9 +302,9 @@ XSASL_CLIENT *xsasl_cyrus_client_create(XSASL_CLIENT_IMPL *unused_impl,
{ {
XSASL_CYRUS_CLIENT *client = 0; XSASL_CYRUS_CLIENT *client = 0;
static sasl_callback_t callbacks[] = { static sasl_callback_t callbacks[] = {
{SASL_CB_USER, &xsasl_cyrus_client_get_user, 0}, {SASL_CB_USER, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_user, 0},
{SASL_CB_AUTHNAME, &xsasl_cyrus_client_get_user, 0}, {SASL_CB_AUTHNAME, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_user, 0},
{SASL_CB_PASS, &xsasl_cyrus_client_get_passwd, 0}, {SASL_CB_PASS, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_passwd, 0},
{SASL_CB_LIST_END, 0, 0} {SASL_CB_LIST_END, 0, 0}
}; };
sasl_conn_t *sasl_conn = 0; sasl_conn_t *sasl_conn = 0;

2
postfix/src/xsasl/xsasl_cyrus_server.c
View File

@ -170,7 +170,7 @@ static const char *xsasl_cyrus_server_get_username(XSASL_SERVER *);
#define NO_CALLBACK_CONTEXT 0 #define NO_CALLBACK_CONTEXT 0
static sasl_callback_t callbacks[] = { static sasl_callback_t callbacks[] = {
{SASL_CB_LOG, &xsasl_cyrus_log, NO_CALLBACK_CONTEXT}, {SASL_CB_LOG, (XSASL_CYRUS_CB) &xsasl_cyrus_log, NO_CALLBACK_CONTEXT},
{SASL_CB_LIST_END, 0, 0} {SASL_CB_LIST_END, 0, 0}
}; };