a patch by Victor Duchovni. Files: proto/TLS_README.html,
proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c,
tls/tls_server.c.
+
+20120425
+
+ Workaround: bugs in 10-year old gcc versions break compilation
+ with #ifdef inside a macro invocation (NOT: definition).
+ Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c.
If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9
before proceeding.
+Major changes with snapshot 20120422
+====================================
+
+This release adds support to turn off the TLSv1.1 and TLSv1.2
+protocols. Introduced with OpenSSL version 1.0.1, these are known
+to cause inter-operability problems with for example hotmail.
+
+The radical workaround is to temporarily turn off problematic
+protocols globally:
+
+/etc/postfix/main.cf:
+ smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+ smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+
+ smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+ smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+
+However, it may be better to temporarily turn off problematic
+protocols for broken sites only:
+
+/etc/postfix/main.cf:
+ smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+
+/etc/postfix/tls_policy:
+ example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
+
+Important:
+
+- Note the use of ":" instead of comma or space. Also, note that
+ there is NO space around the "=" in "protocols=".
+
+- The smtp_tls_policy_maps lookup key must match the "next-hop"
+ destination that is given to the Postfix SMTP client. If you
+ override the next-hop destination with transport_maps, relayhost,
+ sender_dependent_relayhost_maps, or otherwise, you need to specify
+ the same destination for the smtp_tls_policy_maps lookup key.
+
Major changes with snapshot 20120306
====================================
non-empty value is specified, this overrides the
obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
- <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
+ <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b>
List of SSL/TLS protocols that the Postfix SMTP
client will use with mandatory TLS encryption.
non-empty value is specified, this overrides the
obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
- <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
+ <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b>
List of SSL/TLS protocols that the Postfix SMTP
client will use with mandatory TLS encryption.
exclude from the Postfix SMTP server cipher list at
mandatory TLS security levels.
- <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
+ <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (!SSLv2)</b>
The SSL/TLS protocols accepted by the Postfix SMTP
server with mandatory TLS encryption.
Optional lookup tables with the Postfix SMTP client TLS security
policy by next-hop destination; when a non-empty value is specified,
this overrides the obsolete smtp_tls_per_site parameter.
-.IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+.IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR"
List of SSL/TLS protocols that the Postfix SMTP client will use with
mandatory TLS encryption.
.IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
.IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
Additional list of ciphers or cipher types to exclude from the
Postfix SMTP server cipher list at mandatory TLS security levels.
-.IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+.IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
The SSL/TLS protocols accepted by the Postfix SMTP server with
mandatory TLS encryption.
.IP "\fBsmtpd_tls_received_header (no)\fR"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20120423"
+#define MAIL_RELEASE_DATE "20120425"
#define MAIL_VERSION_NUMBER "2.10"
#ifdef SNAPSHOT
/* Optional lookup tables with the Postfix SMTP client TLS security
/* policy by next-hop destination; when a non-empty value is specified,
/* this overrides the obsolete smtp_tls_per_site parameter.
-/* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+/* .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR"
/* List of SSL/TLS protocols that the Postfix SMTP client will use with
/* mandatory TLS encryption.
/* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
/* Additional list of ciphers or cipher types to exclude from the
/* Postfix SMTP server cipher list at mandatory TLS security levels.
-/* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+/* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
/* The SSL/TLS protocols accepted by the Postfix SMTP server with
/* mandatory TLS encryption.
/* .IP "\fBsmtpd_tls_received_header (no)\fR"
#define TLS_PROTOCOL_TLSv1_1 (1<<3) /* TLSv1_1 */
#else
#define TLS_PROTOCOL_TLSv1_1 0 /* Unknown */
+#undef SSL_OP_NO_TLSv1_1
+#define SSL_OP_NO_TLSv1_1 0L /* Noop */
#endif
#ifdef SSL_TXT_TLSV1_2
#define TLS_PROTOCOL_TLSv1_2 (1<<4) /* TLSv1_2 */
#else
#define TLS_PROTOCOL_TLSv1_2 0 /* Unknown */
+#undef SSL_OP_NO_TLSv1_2
+#define SSL_OP_NO_TLSv1_2 0L /* Noop */
#endif
#define TLS_KNOWN_PROTOCOLS \
( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
if (protomask != 0)
SSL_set_options(TLScontext->con,
((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
-#ifdef SSL_OP_NO_TLSv1_1
| ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
-#endif
-#ifdef SSL_OP_NO_TLSv1_2
| ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
-#endif
| ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));
if (protomask != 0)
SSL_CTX_set_options(server_ctx,
((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
-#ifdef SSL_OP_NO_TLSv1_1
| ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
-#endif
-#ifdef SSL_OP_NO_TLSv1_2
| ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
-#endif
| ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));
projects / thirdparty / postfix.git / commitdiff
