From: Wietse Venema Date: Tue, 24 Apr 2012 05:00:00 +0000 (-0500) Subject: postfix-2.7.9 X-Git-Tag: v2.7.9^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b4af6b05ef1ef1615561301392ade7d01da6a298;p=thirdparty%2Fpostfix.git postfix-2.7.9 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index ea459c966..fdc0f8d69 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -16020,3 +16020,24 @@ Apologies for any names omitted. could match a shorter one, because a length check was done on the wrong string. Reported by Vladimir Vassiliev. File: cleanup/cleanup_milter.c. + +20120214 + + Bugfix (introduced: Postfix 2.4): extraneous null assignment + caused core dump when postlog emitted the "usage" message. + Reported by Kant (fnord.hammer). File: postlog/postlog.c. + +20120401 + + Bitrot: shut up useless warnings about Cyrus SASL call-back + function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h, + xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c. + +20120422 + + Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the + known TLS protocol list so that protocols can be turned off + selectively to work around implementation bugs. Based on + a patch by Victor Duchovni. Files: proto/TLS_README.html, + proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c, + tls/tls_server.c. diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index 241e08990..845a37cda 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -537,11 +537,17 @@ The "smtpd_tls_ciphers" configuration parameter (Postfix >= 2.6) provides control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export". -With mandatory TLS encryption, the Postfix SMTP server will by default only use -SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The -mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols -configuration parameter. The corresponding smtpd_tls_protocols parameter -(Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS. +With mandatory TLS encryption, the Postfix SMTP server will by default disable +SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS +protocol list is specified via the smtpd_tls_mandatory_protocols configuration +parameter. The corresponding smtpd_tls_protocols parameter (Postfix >= 2.6) +controls the SSL/TLS protocols used with opportunistic TLS. + +Note that the OpenSSL library only supports protocol exclusion (not inclusion). +For this reason, Postfix can exclude only protocols that are known at the time +the Postfix software is written. If new protocols are added to the OpenSSL +library, they cannot be excluded without corresponding changes to the Postfix +source code. For a server that is not a public Internet MX host, Postfix (>= 2.3) supports configurations with no server certificates that use oonnllyy the anonymous ciphers. @@ -556,9 +562,10 @@ Example, MSA that requires TLSv1, not SSLv2 or SSLv3, with high grade ciphers: smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt - smtpd_tls_mandatory_protocols = TLSv1 - # Also available with Postfix >= 2.5: + # Preferred form with Postfix >= 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtpd_tls_mandatory_protocols = TLSv1 If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH) key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead @@ -1009,9 +1016,9 @@ policy settings. Examples: In the example below, traffic to example.com and its sub-domains via the -corresponding MX hosts always uses TLS. The protocol version will be "SSLv3" or -"TLSv1" (the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). -Only high or medium strength (i.e. 128 bit or better) ciphers will be used by +corresponding MX hosts always uses TLS. The SSLv2 protocol will be disabled +(the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). Only +high- or medium-strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions. /etc/postfix/main.cf: @@ -1675,11 +1682,11 @@ The "smtp_tls_ciphers" configuration parameter (Postfix >= 2.6) provides control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export". -With mandatory TLS encryption, the Postfix SMTP client will by default only use -SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The -mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols -configuration parameter. The corresponding smtp_tls_protocols parameter -(Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS. +With mandatory TLS encryption, the Postfix SMTP client will by default disable +SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS +protocol list is specified via the smtp_tls_mandatory_protocols configuration +parameter. The corresponding smtp_tls_protocols parameter (Postfix >= 2.6) +controls the SSL/TLS protocols used with opportunistic TLS. Example: @@ -1687,9 +1694,10 @@ Example: smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL - smtp_tls_mandatory_protocols = SSLv3, TLSv1 - # Also available with Postfix >= 2.5: + # Preferred form with Postfix >= 2.5: smtp_tls_mandatory_protocols = !SSLv2 + # Alternative form. + smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Also available with Postfix >= 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 251967b1b..2f9dc5a6d 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,6 +14,43 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6 before proceeding. +Major changes with Postfix 2.7.9 +-------------------------------- + +This release adds support to turn off the TLSv1.1 and TLSv1.2 +protocols. Introduced with OpenSSL version 1.0.1, these are known +to cause inter-operability problems with for example hotmail. + +The radical workaround is to temporarily turn off problematic +protocols globally: + +/etc/postfix/main.cf: + smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + + smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + +However, it may be better to temporarily turn off problematic +protocols for broken sites only: + +/etc/postfix/main.cf: + smtp_tls_policy_maps = hash:/etc/postfix/tls_policy + +/etc/postfix/tls_policy: + example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2 + +Important: + +- Note the use of ":" instead of comma or space. Also, note that + there is NO space around the "=" in "protocols=". + +- The smtp_tls_policy_maps lookup key must match the "next-hop" + destination that is given to the Postfix SMTP client. If you + override the next-hop destination with transport_maps, relayhost, + sender_dependent_relayhost_maps, or otherwise, you need to specify + the same destination for the smtp_tls_policy_maps lookup key. + Incompatibility with Postfix 2.7.2 ---------------------------------- diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index edf38f78b..621fccbac 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -785,12 +785,18 @@ Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export".

With mandatory TLS encryption, the Postfix SMTP server will by -default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption +default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS protocols used with opportunistic TLS.

+

Note that the OpenSSL library only supports protocol exclusion +(not inclusion). For this reason, Postfix can exclude only protocols +that are known at the time the Postfix software is written. If new +protocols are added to the OpenSSL library, they cannot be excluded +without corresponding changes to the Postfix source code.

+

For a server that is not a public Internet MX host, Postfix (≥ 2.3) supports configurations with no server certificates that use only the anonymous ciphers. This is @@ -808,9 +814,10 @@ ciphers:

smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt - smtpd_tls_mandatory_protocols = TLSv1 - # Also available with Postfix ≥ 2.5: + # Preferred form with Postfix ≥ 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtpd_tls_mandatory_protocols = TLSv1 @@ -1407,9 +1414,9 @@ should use the new TLS policy settings.

Examples:

In the example below, traffic to example.com and its sub-domains -via the corresponding MX hosts always uses TLS. The protocol version will be -"SSLv3" or "TLSv1" (the default setting of smtp_tls_mandatory_protocols -excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or +via the corresponding MX hosts always uses TLS. The SSLv2 protocol +will be disabled (the default setting of smtp_tls_mandatory_protocols +excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.

@@ -2258,7 +2265,7 @@ Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export".

With mandatory TLS encryption, the Postfix SMTP client will by -default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption +default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls @@ -2272,9 +2279,10 @@ the SSL/TLS protocols used with opportunistic TLS.

smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL - smtp_tls_mandatory_protocols = SSLv3, TLSv1 - # Also available with Postfix ≥ 2.5: + # Preferred form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 + # Alternative form. + smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 724ec30ed..c07781049 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -450,7 +450,7 @@ SMTP(8) SMTP(8) non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. - smtp_tls_mandatory_protocols (SSLv3, TLSv1) + smtp_tls_mandatory_protocols (!SSLv2) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 14ad11179..c5ee7221b 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -4534,7 +4534,7 @@ configuration parameter. See there for details.

lmtp_tls_mandatory_protocols -(default: SSLv3, TLSv1)
+(default: !SSLv2)

The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.

@@ -9698,7 +9698,7 @@ attribute. See smtp_tls_policy_ma
smtp_tls_mandatory_protocols -(default: SSLv3, TLSv1)
+(default: !SSLv2)

List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by @@ -9707,12 +9707,19 @@ whitespace, commas or colons. In the policy table "protocols" attribute empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

+

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" +and "TLSv1.2". If an older Postfix version is linked against OpenSSL +1.0.1 or later, these, or any other new protocol versions, are +unconditionally enabled.

+

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing -the protocols to include, rather than protocols to exclude, is still -supported; use the form you find more intuitive.

+the protocols to include, rather than protocols to exclude, is +supported, but not recommended. The exclusion form more closely +matches the behaviour when the OpenSSL library is newer than Postfix. +

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by @@ -9725,9 +9732,10 @@ and higher.

Example: 

-smtp_tls_mandatory_protocols = TLSv1
-# Alternative form with Postfix ≥ 2.5:
+# Preferred form with Postfix ≥ 2.5:
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+# Alternative form.
+smtp_tls_mandatory_protocols = TLSv1

This feature is available in Postfix 2.3 and later.

@@ -9983,14 +9991,18 @@ separator is colon. An empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

+

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" +and "TLSv1.2". If an older Postfix version is linked against OpenSSL +1.0.1 or later, these, or any other new protocol versions, are +unconditionally enabled.

+

To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to -include, is supported, but not recommended. OpenSSL provides no mechanisms -for excluding protocols not known at compile-time. If Postfix is linked -against an OpenSSL library that supports additional protocol versions, -they cannot be excluded using either syntax.

+include, rather than protocols to exclude, is supported, but not +recommended. The exclusion form more closely matches the behaviour +when the OpenSSL library is newer than Postfix.

Example: 

@@ -13244,7 +13256,7 @@ works in addition to the exclusions listed with smtpd_tls_mandatory_protocols
-(default: SSLv3, TLSv1)

+(default: !SSLv2)

 
 
 The SSL/TLS protocols accepted by the Postfix SMTP server with
 mandatory TLS encryption. If the list is empty, the server supports all
@@ -13253,12 +13265,19 @@ of protocol
 names separated by whitespace, commas or colons. The supported protocol
 names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. 

 
+
 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled. 

+
 
 With Postfix ≥ 2.5 the parameter syntax is expanded to support
 protocol exclusions. One can now explicitly exclude SSLv2 by setting
 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
 SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
-the protocols to include, rather than protocols to exclude, is still
-supported, use the form you find more intuitive. 

+the protocols to include, rather than protocols to exclude, is
+supported, but not recommended. The exclusion form more closely
+matches the behaviour when the OpenSSL library is newer than Postfix.
+

 
 
 Since SSL version 2 has known protocol weaknesses and is now
 deprecated, the default setting excludes "SSLv2".  This means that
@@ -13292,14 +13311,18 @@ names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and
 "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
 values are separated by a colon. 

 
+
 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled. 

+
 
 To include a protocol list its name, to exclude it, prefix the name
 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, is supported, but not recommended. OpenSSL provides no mechanisms
-for excluding protocols not known at compile-time. If Postfix is linked
-against an OpenSSL library that supports additional protocol versions,
-they cannot be excluded using either syntax. 

+include, rather than protocols to exclude, is supported, but not
+recommended.  The exclusion form more closely matches the behaviour
+when the OpenSSL library is newer than Postfix.  

 
 
 Example: 

 
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index 724ec30ed..c07781049 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -450,7 +450,7 @@ SMTP(8)                                                                SMTP(8)
               non-empty value is specified,  this  overrides  the
               obsolete smtp_tls_per_site parameter.
 
-       smtp_tls_mandatory_protocols (SSLv3, TLSv1)
+       smtp_tls_mandatory_protocols (!SSLv2)
               List  of  SSL/TLS  protocols  that the Postfix SMTP
               client will use with mandatory TLS encryption.
 
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index 1e08cc9bc..7e1bf0d35 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -462,7 +462,7 @@ SMTPD(8)                                                              SMTPD(8)
               exclude from the SMTP server cipher list at  manda-
               tory TLS security levels.
 
-       smtpd_tls_mandatory_protocols (SSLv3, TLSv1)
+       smtpd_tls_mandatory_protocols (!SSLv2)
               The  SSL/TLS protocols accepted by the Postfix SMTP
               server with mandatory TLS encryption.
 
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 674d9cb4d..d82549504 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -2461,7 +2461,7 @@ The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
 configuration parameter.  See there for details.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH lmtp_tls_mandatory_protocols (default: SSLv3, TLSv1)
+.SH lmtp_tls_mandatory_protocols (default: !SSLv2)
 The LMTP-specific version of the smtp_tls_mandatory_protocols
 configuration parameter. See there for details.
 .PP
@@ -5718,7 +5718,7 @@ specified on a per-destination basis via the TLS policy "exclude"
 attribute. See smtp_tls_policy_maps for notes and examples.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtp_tls_mandatory_protocols (default: SSLv3, TLSv1)
+.SH smtp_tls_mandatory_protocols (default: !SSLv2)
 List of SSL/TLS protocols that the Postfix SMTP client will use with
 mandatory TLS encryption.  In main.cf the values are separated by
 whitespace, commas or colons. In the policy table "protocols" attribute
@@ -5726,12 +5726,18 @@ whitespace, commas or colons. In the policy table "protocols" attribute
 empty value means allow all protocols. The valid protocol names, (see
 \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1".
 .PP
+Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled.
+.PP
 With Postfix >= 2.5 the parameter syntax is expanded to support
 protocol exclusions. One can now explicitly exclude SSLv2 by setting
 "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
 SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
-the protocols to include, rather than protocols to exclude, is still
-supported; use the form you find more intuitive.
+the protocols to include, rather than protocols to exclude, is
+supported, but not recommended. The exclusion form more closely
+matches the behaviour when the OpenSSL library is newer than Postfix.
 .PP
 Since SSL version 2 has known protocol weaknesses and is now
 deprecated, the default setting excludes "SSLv2".  This means that by
@@ -5746,9 +5752,10 @@ Example:
 .nf
 .na
 .ft C
-smtp_tls_mandatory_protocols = TLSv1
-# Alternative form with Postfix >= 2.5:
+# Preferred form with Postfix >= 2.5:
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+# Alternative form.
+smtp_tls_mandatory_protocols = TLSv1
 .fi
 .ad
 .ft R
@@ -5981,14 +5988,18 @@ separator is colon. An empty value means allow all protocols. The valid
 protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3"
 and "TLSv1".
 .PP
+Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled.
+.PP
 To include a protocol list its name, to exclude it, prefix the name
 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, is supported, but not recommended. OpenSSL provides no mechanisms
-for excluding protocols not known at compile-time. If Postfix is linked
-against an OpenSSL library that supports additional protocol versions,
-they cannot be excluded using either syntax.
+include, rather than protocols to exclude, is supported, but not
+recommended.  The exclusion form more closely matches the behaviour
+when the OpenSSL library is newer than Postfix.
 .PP
 Example:
 .nf
@@ -8386,7 +8397,7 @@ works in addition to the exclusions listed with smtpd_tls_exclude_ciphers
 (see there for syntax details).
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtpd_tls_mandatory_protocols (default: SSLv3, TLSv1)
+.SH smtpd_tls_mandatory_protocols (default: !SSLv2)
 The SSL/TLS protocols accepted by the Postfix SMTP server with
 mandatory TLS encryption. If the list is empty, the server supports all
 available SSL/TLS protocol versions.  A non-empty value is a list
@@ -8394,12 +8405,18 @@ of protocol
 names separated by whitespace, commas or colons. The supported protocol
 names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
 .PP
+Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled.
+.PP
 With Postfix >= 2.5 the parameter syntax is expanded to support
 protocol exclusions. One can now explicitly exclude SSLv2 by setting
 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
 SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
-the protocols to include, rather than protocols to exclude, is still
-supported, use the form you find more intuitive.
+the protocols to include, rather than protocols to exclude, is
+supported, but not recommended. The exclusion form more closely
+matches the behaviour when the OpenSSL library is newer than Postfix.
 .PP
 Since SSL version 2 has known protocol weaknesses and is now
 deprecated, the default setting excludes "SSLv2".  This means that
@@ -8431,14 +8448,18 @@ names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and
 "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
 values are separated by a colon.
 .PP
+Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled.
+.PP
 To include a protocol list its name, to exclude it, prefix the name
 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, is supported, but not recommended. OpenSSL provides no mechanisms
-for excluding protocols not known at compile-time. If Postfix is linked
-against an OpenSSL library that supports additional protocol versions,
-they cannot be excluded using either syntax.
+include, rather than protocols to exclude, is supported, but not
+recommended.  The exclusion form more closely matches the behaviour
+when the OpenSSL library is newer than Postfix.
 .PP
 Example:
 .nf
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index 37c0290a4..342897f5a 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -374,7 +374,7 @@ when TLS is not already enabled for that server.
 Optional lookup tables with the Postfix SMTP client TLS security
 policy by next-hop destination; when a non-empty value is specified,
 this overrides the obsolete smtp_tls_per_site parameter.
-.IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+.IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR"
 List of SSL/TLS protocols that the Postfix SMTP client will use with
 mandatory TLS encryption.
 .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index ec5ba6abc..ee4b71b8f 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -389,7 +389,7 @@ use with mandatory TLS encryption.
 .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
 Additional list of ciphers or cipher types to exclude from the
 SMTP server cipher list at mandatory TLS security levels.
-.IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+.IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
 The SSL/TLS protocols accepted by the Postfix SMTP server with
 mandatory TLS encryption.
 .IP "\fBsmtpd_tls_received_header (no)\fR"
diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index b75bf9ed0..f15d46d4b 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -785,12 +785,18 @@ Postfix < 2.6, the minimum opportunistic TLS cipher grade is always
 "export". 

 
 
 With mandatory TLS encryption, the Postfix SMTP server will by
-default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
+default disable SSLv2. SSLv2 is used only when TLS encryption
 is optional. The mandatory TLS protocol list is specified via the
 smtpd_tls_mandatory_protocols configuration parameter.  The
 corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6)
 controls the SSL/TLS protocols used with opportunistic TLS. 

 
+
 Note that the OpenSSL library only supports protocol exclusion
+(not inclusion). For this reason, Postfix can exclude only protocols
+that are known at the time the Postfix software is written. If new
+protocols are added to the OpenSSL library, they cannot be excluded
+without corresponding changes to the Postfix source code. 

+
 
 For a server that is not a public Internet MX host, Postfix (≥ 2.3)
 supports configurations with no server
 certificates that use only the anonymous ciphers. This is
@@ -808,9 +814,10 @@ ciphers: 

     smtpd_tls_mandatory_ciphers = high
     smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
     smtpd_tls_security_level = encrypt
-    smtpd_tls_mandatory_protocols = TLSv1
-    # Also available with Postfix ≥ 2.5:
+    # Preferred form with Postfix ≥ 2.5:
     smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+    # Alternative form.
+    smtpd_tls_mandatory_protocols = TLSv1
 

 
 
@@ -1407,9 +1414,9 @@ should use the new TLS policy settings. 

 
 Examples: 

 
 
 In the example below, traffic to example.com and its sub-domains
-via the corresponding MX hosts always uses TLS. The protocol version will be
-"SSLv3" or "TLSv1" (the default setting of smtp_tls_mandatory_protocols
-excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or
+via the corresponding MX hosts always uses TLS. The SSLv2 protocol
+will be disabled (the default setting of smtp_tls_mandatory_protocols
+excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or
 better) ciphers will be used by default for all "encrypt" security
 level sessions. 

 
@@ -2258,7 +2265,7 @@ Postfix < 2.6, the minimum opportunistic TLS cipher grade is always
 "export". 

 
 
 With mandatory TLS encryption, the Postfix SMTP client will by
-default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
+default disable SSLv2. SSLv2 is used only when TLS encryption
 is optional. The mandatory TLS protocol list is specified via the
 smtp_tls_mandatory_protocols configuration parameter.  The corresponding
 smtp_tls_protocols parameter (Postfix ≥ 2.6) controls
@@ -2272,9 +2279,10 @@ the SSL/TLS protocols used with opportunistic TLS. 

     smtp_tls_mandatory_ciphers = medium
     smtp_tls_mandatory_exclude_ciphers = RC4, MD5
     smtp_tls_exclude_ciphers = aNULL
-    smtp_tls_mandatory_protocols = SSLv3, TLSv1
-    # Also available with Postfix ≥ 2.5:
+    # Preferred form with Postfix ≥ 2.5:
     smtp_tls_mandatory_protocols = !SSLv2
+    # Alternative form.
+    smtp_tls_mandatory_protocols = SSLv3, TLSv1
     # Also available with Postfix ≥ 2.6:
     smtp_tls_ciphers = export
     smtp_tls_protocols = !SSLv2
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index fa45ce42c..8e27aae95 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -10267,7 +10267,7 @@ configurations in environments where DNS security is not assured. 

 
 
 This feature is available in Postfix 2.3 and later. 

 
-%PARAM smtp_tls_mandatory_protocols SSLv3, TLSv1
+%PARAM smtp_tls_mandatory_protocols !SSLv2
 
 
 List of SSL/TLS protocols that the Postfix SMTP client will use with
 mandatory TLS encryption.  In main.cf the values are separated by
@@ -10276,12 +10276,19 @@ whitespace, commas or colons. In the policy table "protocols" attribute
 empty value means allow all protocols. The valid protocol names, (see
 SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". 

 
+
 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled. 

+
 
 With Postfix ≥ 2.5 the parameter syntax is expanded to support
 protocol exclusions. One can now explicitly exclude SSLv2 by setting
 "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
 SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
-the protocols to include, rather than protocols to exclude, is still
-supported; use the form you find more intuitive. 

+the protocols to include, rather than protocols to exclude, is
+supported, but not recommended. The exclusion form more closely
+matches the behaviour when the OpenSSL library is newer than Postfix.
+

 
 
 Since SSL version 2 has known protocol weaknesses and is now
 deprecated, the default setting excludes "SSLv2".  This means that by
@@ -10294,9 +10301,10 @@ TLS_README for more information about security levels. 

 
 Example: 

 
 
-smtp_tls_mandatory_protocols = TLSv1
-# Alternative form with Postfix ≥ 2.5:
+# Preferred form with Postfix ≥ 2.5:
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+# Alternative form.
+smtp_tls_mandatory_protocols = TLSv1
 

 
 
 This feature is available in Postfix 2.3 and later. 

@@ -10424,7 +10432,7 @@ configuration parameter. See there for details. 

 
 
 This feature is available in Postfix 2.3 and later. 

 
-%PARAM lmtp_tls_mandatory_protocols SSLv3, TLSv1
+%PARAM lmtp_tls_mandatory_protocols !SSLv2
 
 
 The LMTP-specific version of the smtp_tls_mandatory_protocols
 configuration parameter. See there for details. 

@@ -10445,7 +10453,7 @@ configuration parameter. See there for details. 

 
 
 This feature is available in Postfix 2.3 and later. 

 
-%PARAM smtpd_tls_mandatory_protocols SSLv3, TLSv1
+%PARAM smtpd_tls_mandatory_protocols !SSLv2
 
 
 The SSL/TLS protocols accepted by the Postfix SMTP server with
 mandatory TLS encryption. If the list is empty, the server supports all
@@ -10454,12 +10462,19 @@ of protocol
 names separated by whitespace, commas or colons. The supported protocol
 names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. 

 
+
 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled. 

+
 
 With Postfix ≥ 2.5 the parameter syntax is expanded to support
 protocol exclusions. One can now explicitly exclude SSLv2 by setting
 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
 SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
-the protocols to include, rather than protocols to exclude, is still
-supported, use the form you find more intuitive. 

+the protocols to include, rather than protocols to exclude, is
+supported, but not recommended. The exclusion form more closely
+matches the behaviour when the OpenSSL library is newer than Postfix.
+

 
 
 Since SSL version 2 has known protocol weaknesses and is now
 deprecated, the default setting excludes "SSLv2".  This means that
@@ -11468,14 +11483,18 @@ separator is colon. An empty value means allow all protocols. The valid
 protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3"
 and "TLSv1". 

 
+
 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled. 

+
 
 To include a protocol list its name, to exclude it, prefix the name
 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, is supported, but not recommended. OpenSSL provides no mechanisms
-for excluding protocols not known at compile-time. If Postfix is linked
-against an OpenSSL library that supports additional protocol versions,
-they cannot be excluded using either syntax. 

+include, rather than protocols to exclude, is supported, but not
+recommended.  The exclusion form more closely matches the behaviour
+when the OpenSSL library is newer than Postfix.  

 
 
 Example: 

 
@@ -11498,14 +11517,18 @@ names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and
 "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
 values are separated by a colon. 

 
+
 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled. 

+
 
 To include a protocol list its name, to exclude it, prefix the name
 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, is supported, but not recommended. OpenSSL provides no mechanisms
-for excluding protocols not known at compile-time. If Postfix is linked
-against an OpenSSL library that supports additional protocol versions,
-they cannot be excluded using either syntax. 

+include, rather than protocols to exclude, is supported, but not
+recommended.  The exclusion form more closely matches the behaviour
+when the OpenSSL library is newer than Postfix.  

 
 
 Example: 

 
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index b4b67537d..e17beb575 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -1239,7 +1239,7 @@ extern char *var_smtpd_tls_CApath;
 extern char *var_smtpd_tls_proto;
 
 #define VAR_SMTPD_TLS_MAND_PROTO	"smtpd_tls_mandatory_protocols"
-#define DEF_SMTPD_TLS_MAND_PROTO	"SSLv3, TLSv1"
+#define DEF_SMTPD_TLS_MAND_PROTO	"!SSLv2"
 extern char *var_smtpd_tls_mand_proto;
 
 #define VAR_SMTPD_TLS_CIPH	"smtpd_tls_ciphers"
@@ -1456,9 +1456,9 @@ extern char *var_smtp_tls_policy;
 extern char *var_smtp_tls_proto;
 
 #define VAR_SMTP_TLS_MAND_PROTO	"smtp_tls_mandatory_protocols"
-#define DEF_SMTP_TLS_MAND_PROTO	"SSLv3, TLSv1"
+#define DEF_SMTP_TLS_MAND_PROTO	"!SSLv2"
 #define VAR_LMTP_TLS_MAND_PROTO	"lmtp_tls_mandatory_protocols"
-#define DEF_LMTP_TLS_MAND_PROTO	"SSLv3, TLSv1"
+#define DEF_LMTP_TLS_MAND_PROTO	"!SSLv2"
 extern char *var_smtp_tls_mand_proto;
 
 #define VAR_SMTP_TLS_VFY_CMATCH	"smtp_tls_verify_cert_match"
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 6edb5df6d..89573e00b 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20120204"
-#define MAIL_VERSION_NUMBER	"2.7.8"
+#define MAIL_RELEASE_DATE	"20120424"
+#define MAIL_VERSION_NUMBER	"2.7.9"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/postlog/postlog.c b/postfix/src/postlog/postlog.c
index 000ff70d6..e2a7877d5 100644
--- a/postfix/src/postlog/postlog.c
+++ b/postfix/src/postlog/postlog.c
@@ -206,7 +206,6 @@ int     main(int argc, char **argv)
     if (isatty(STDERR_FILENO))
 	msg_vstream_init(tag, VSTREAM_ERR);
     msg_syslog_init(tag, LOG_PID, LOG_FACILITY);
-    tag = 0;
 
     /*
      * Parse switches.
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index 84a62f5e1..f9ecacbf0 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -344,7 +344,7 @@
 /*	Optional lookup tables with the Postfix SMTP client TLS security
 /*	policy by next-hop destination; when a non-empty value is specified,
 /*	this overrides the obsolete smtp_tls_per_site parameter.
-/* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+/* .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR"
 /*	List of SSL/TLS protocols that the Postfix SMTP client will use with
 /*	mandatory TLS encryption.
 /* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index ee4caa7db..2374d5c95 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -357,7 +357,7 @@
 /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
 /*	Additional list of ciphers or cipher types to exclude from the
 /*	SMTP server cipher list at mandatory TLS security levels.
-/* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+/* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
 /*	The SSL/TLS protocols accepted by the Postfix SMTP server with
 /*	mandatory TLS encryption.
 /* .IP "\fBsmtpd_tls_received_header (no)\fR"
diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h
index b66a09f86..88e860c8e 100644
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@@ -154,8 +154,19 @@ extern void tls_param_init(void);
 #define TLS_PROTOCOL_SSLv2	(1<<0)	/* SSLv2 */
 #define TLS_PROTOCOL_SSLv3	(1<<1)	/* SSLv3 */
 #define TLS_PROTOCOL_TLSv1	(1<<2)	/* TLSv1 */
+#ifdef SSL_TXT_TLSV1_1
+#define TLS_PROTOCOL_TLSv1_1	(1<<3)	/* TLSv1_1 */
+#else
+#define TLS_PROTOCOL_TLSv1_1	0	/* Unknown */
+#endif
+#ifdef SSL_TXT_TLSV1_2
+#define TLS_PROTOCOL_TLSv1_2	(1<<4)	/* TLSv1_2 */
+#else
+#define TLS_PROTOCOL_TLSv1_2	0	/* Unknown */
+#endif
 #define TLS_KNOWN_PROTOCOLS	\
-	( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 )
+	( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
+	   | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
 
 extern int tls_protocol_mask(const char *);
 
diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index 7fd32d478..afb159795 100644
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -814,6 +814,12 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
     if (protomask != 0)
 	SSL_set_options(TLScontext->con,
 		   ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
+#ifdef SSL_OP_NO_TLSv1_1
+	     | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+	     | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
+#endif
 		 | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
 	       | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));
 
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index 1a324b939..b0f0c499c 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -206,6 +206,12 @@ static const NAME_CODE protocol_table[] = {
     SSL_TXT_SSLV2, TLS_PROTOCOL_SSLv2,
     SSL_TXT_SSLV3, TLS_PROTOCOL_SSLv3,
     SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
+#ifdef SSL_TXT_TLSV1_1
+    SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
+#endif
+#ifdef SSL_TXT_TLSV1_2
+    SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
+#endif
     0, TLS_PROTOCOL_INVALID,
 };
 
diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index 9ed6d20ed..47be5cc7e 100644
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -366,6 +366,12 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
     if (protomask != 0)
 	SSL_CTX_set_options(server_ctx,
 		   ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
+#ifdef SSL_OP_NO_TLSv1_1
+	     | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+	     | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
+#endif
 		 | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
 	       | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));
 
diff --git a/postfix/src/xsasl/xsasl_cyrus.h b/postfix/src/xsasl/xsasl_cyrus.h
index 5e78dcd2b..ad8557ed5 100644
--- a/postfix/src/xsasl/xsasl_cyrus.h
+++ b/postfix/src/xsasl/xsasl_cyrus.h
@@ -26,6 +26,11 @@
 extern XSASL_SERVER_IMPL *xsasl_cyrus_server_init(const char *, const char *);
 extern XSASL_CLIENT_IMPL *xsasl_cyrus_client_init(const char *, const char *);
 
+ /*
+  * Internal definitions for client and server module.
+  */
+typedef int (*XSASL_CYRUS_CB) (void);
+
 #endif
 
 /* LICENSE
diff --git a/postfix/src/xsasl/xsasl_cyrus_client.c b/postfix/src/xsasl/xsasl_cyrus_client.c
index 16a098c07..5ba1c4bae 100644
--- a/postfix/src/xsasl/xsasl_cyrus_client.c
+++ b/postfix/src/xsasl/xsasl_cyrus_client.c
@@ -223,7 +223,7 @@ XSASL_CLIENT_IMPL *xsasl_cyrus_client_init(const char *unused_client_type,
      * Global callbacks. These have no per-session context.
      */
     static sasl_callback_t callbacks[] = {
-	{SASL_CB_LOG, &xsasl_cyrus_log, 0},
+	{SASL_CB_LOG, (XSASL_CYRUS_CB) &xsasl_cyrus_log, 0},
 	{SASL_CB_LIST_END, 0, 0}
     };
 
@@ -302,9 +302,9 @@ XSASL_CLIENT *xsasl_cyrus_client_create(XSASL_CLIENT_IMPL *unused_impl,
 {
     XSASL_CYRUS_CLIENT *client = 0;
     static sasl_callback_t callbacks[] = {
-	{SASL_CB_USER, &xsasl_cyrus_client_get_user, 0},
-	{SASL_CB_AUTHNAME, &xsasl_cyrus_client_get_user, 0},
-	{SASL_CB_PASS, &xsasl_cyrus_client_get_passwd, 0},
+	{SASL_CB_USER, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_user, 0},
+	{SASL_CB_AUTHNAME, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_user, 0},
+	{SASL_CB_PASS, (XSASL_CYRUS_CB) &xsasl_cyrus_client_get_passwd, 0},
 	{SASL_CB_LIST_END, 0, 0}
     };
     sasl_conn_t *sasl_conn = 0;
diff --git a/postfix/src/xsasl/xsasl_cyrus_server.c b/postfix/src/xsasl/xsasl_cyrus_server.c
index 78bb4df17..202e8db45 100644
--- a/postfix/src/xsasl/xsasl_cyrus_server.c
+++ b/postfix/src/xsasl/xsasl_cyrus_server.c
@@ -170,7 +170,7 @@ static const char *xsasl_cyrus_server_get_username(XSASL_SERVER *);
 #define NO_CALLBACK_CONTEXT	0
 
 static sasl_callback_t callbacks[] = {
-    {SASL_CB_LOG, &xsasl_cyrus_log, NO_CALLBACK_CONTEXT},
+    {SASL_CB_LOG, (XSASL_CYRUS_CB) &xsasl_cyrus_log, NO_CALLBACK_CONTEXT},
     {SASL_CB_LIST_END, 0, 0}
 };