From 6e067c0f89aae896795e8e6294eda5f73208ff50 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Mon, 20 Jul 2015 00:00:00 -0500
Subject: [PATCH] postfix-3.1-20150720-nonprod

---
 postfix/README_FILES/TLS_README   | 20 ++++++++++----------
 postfix/html/TLS_README.html      | 12 ++++++------
 postfix/proto/TLS_README.html     | 12 ++++++------
 postfix/src/global/mail_version.h |  2 +-
 4 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README
index ee793cb43..0d8907407 100644
--- a/postfix/README_FILES/TLS_README
+++ b/postfix/README_FILES/TLS_README
@@ -840,7 +840,7 @@ Examples:
 
 In the example below, traffic to example.com and its sub-domains via the
 corresponding MX hosts always uses TLS. The SSLv2 protocol will be disabled
-(the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). Only
+(the default setting of smtp_tls_mandatory_protocols excludes SSLv2+3). Only
 high- or medium-strength (i.e. 128 bit or better) ciphers will be used by
 default for all "encrypt" security level sessions.
 
@@ -1625,15 +1625,15 @@ ddaannee
     TLSA records in DNSSEC. If no TLSA records are found, the effective
     security level used is may. If TLSA records are found, but none are usable,
     the effective security level is encrypt. When usable TLSA records are
-    obtained for the remote SMTP server, SSLv2 is automatically disabled (see
-    smtp_tls_mandatory_protocols), and the server certificate must match the
-    TLSA records. RFC 6698 (DANE) TLS authentication and DNSSEC support is
+    obtained for the remote SMTP server, SSLv2+3 are automatically disabled
+    (see smtp_tls_mandatory_protocols), and the server certificate must match
+    the TLSA records. RFC 6698 (DANE) TLS authentication and DNSSEC support is
     available with Postfix 2.11 and later.
 ddaannee--oonnllyy
     Mandatory DANE TLS. The TLS policy for the destination is obtained via TLSA
     records in DNSSEC. If no TLSA records are found, or none are usable, no
     connection is made to the server. When usable TLSA records are obtained for
-    the remote SMTP server, SSLv2 is automatically disabled (see
+    the remote SMTP server, SSLv2+3 are automatically disabled (see
     smtp_tls_mandatory_protocols), and the server certificate must match the
     TLSA records. RFC 6698 (DANE) TLS authentication and DNSSEC support is
     available with Postfix 2.11 and later.
@@ -1787,11 +1787,11 @@ minimum cipher grade for opportunistic TLS is "medium" for Postfix releases
 after the middle of 2015, and "export" for older releases. With Postfix < 2.6,
 the minimum opportunistic TLS cipher grade is always "export".
 
-With mandatory TLS encryption, the Postfix SMTP client will by default disable
-SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
-protocol list is specified via the smtp_tls_mandatory_protocols configuration
-parameter. The corresponding smtp_tls_protocols parameter (Postfix >= 2.6)
-controls the SSL/TLS protocols used with opportunistic TLS.
+With mandatory and opportunistic TLS encryption, the Postfix SMTP client will
+by default disable SSLv2 and SSLv3. The mandatory TLS protocol list is
+specified via the smtp_tls_mandatory_protocols configuration parameter. The
+corresponding smtp_tls_protocols parameter (Postfix >= 2.6) controls the SSL/
+TLS protocols used with opportunistic TLS.
 
 Example:
 
diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html
index e642eeed3..ec370dcd0 100644
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@@ -1157,7 +1157,7 @@ table</a>, specify the "encrypt" security level.
 <p> In the example below, traffic to <i>example.com</i> and its sub-domains
 via the corresponding MX hosts always uses TLS. The SSLv2 protocol
 will be disabled (the default setting of <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
-excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or
+excludes SSLv2+3). Only high- or medium-strength (i.e. 128 bit or
 better) ciphers will be used by default for all "encrypt" security
 level sessions. </p>
 
@@ -2137,7 +2137,7 @@ DNSSEC.  If no TLSA records are found, the effective security level
 used is <a href="#client_tls_may">may</a>.  If TLSA records are
 found, but none are usable, the effective security level is <a
 href="#client_tls_encrypt">encrypt</a>.  When usable TLSA records
-are obtained for the remote SMTP server, SSLv2 is automatically
+are obtained for the remote SMTP server, SSLv2+3 are automatically
 disabled (see <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>), and the server certificate
 must match the TLSA records.  <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE) TLS authentication
 and DNSSEC support is available with Postfix 2.11 and later.  </dd>
@@ -2146,7 +2146,7 @@ and DNSSEC support is available with Postfix 2.11 and later.  </dd>
 The TLS policy for the destination is obtained via TLSA records in
 DNSSEC.  If no TLSA records are found, or none are usable, no
 connection is made to the server.  When usable TLSA records are
-obtained for the remote SMTP server, SSLv2 is automatically disabled
+obtained for the remote SMTP server, SSLv2+3 are automatically disabled
 (see <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>), and the server certificate must
 match the TLSA records.  <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE) TLS authentication and
 DNSSEC support is available with Postfix 2.11 and later.  </dd>
@@ -2339,9 +2339,9 @@ for Postfix releases after the middle of 2015, and "export" for
 older releases.  With Postfix &lt; 2.6, the minimum opportunistic
 TLS cipher grade is always "export".  </p>
 
-<p> With mandatory TLS encryption, the Postfix SMTP client will by
-default disable SSLv2. SSLv2 is used only when TLS encryption
-is optional. The mandatory TLS protocol list is specified via the
+<p> With mandatory and opportunistic TLS encryption, the Postfix
+SMTP client will by default disable SSLv2 and SSLv3. The mandatory
+TLS protocol list is specified via the
 <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> configuration parameter.  The corresponding
 <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> parameter (Postfix &ge; 2.6) controls
 the SSL/TLS protocols used with opportunistic TLS. </p>
diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index 15c486548..099ca78e8 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -1157,7 +1157,7 @@ table</a>, specify the "encrypt" security level.
 <p> In the example below, traffic to <i>example.com</i> and its sub-domains
 via the corresponding MX hosts always uses TLS. The SSLv2 protocol
 will be disabled (the default setting of smtp_tls_mandatory_protocols
-excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or
+excludes SSLv2+3). Only high- or medium-strength (i.e. 128 bit or
 better) ciphers will be used by default for all "encrypt" security
 level sessions. </p>
 
@@ -2137,7 +2137,7 @@ DNSSEC.  If no TLSA records are found, the effective security level
 used is <a href="#client_tls_may">may</a>.  If TLSA records are
 found, but none are usable, the effective security level is <a
 href="#client_tls_encrypt">encrypt</a>.  When usable TLSA records
-are obtained for the remote SMTP server, SSLv2 is automatically
+are obtained for the remote SMTP server, SSLv2+3 are automatically
 disabled (see smtp_tls_mandatory_protocols), and the server certificate
 must match the TLSA records.  RFC 6698 (DANE) TLS authentication
 and DNSSEC support is available with Postfix 2.11 and later.  </dd>
@@ -2146,7 +2146,7 @@ and DNSSEC support is available with Postfix 2.11 and later.  </dd>
 The TLS policy for the destination is obtained via TLSA records in
 DNSSEC.  If no TLSA records are found, or none are usable, no
 connection is made to the server.  When usable TLSA records are
-obtained for the remote SMTP server, SSLv2 is automatically disabled
+obtained for the remote SMTP server, SSLv2+3 are automatically disabled
 (see smtp_tls_mandatory_protocols), and the server certificate must
 match the TLSA records.  RFC 6698 (DANE) TLS authentication and
 DNSSEC support is available with Postfix 2.11 and later.  </dd>
@@ -2339,9 +2339,9 @@ for Postfix releases after the middle of 2015, and "export" for
 older releases.  With Postfix &lt; 2.6, the minimum opportunistic
 TLS cipher grade is always "export".  </p>
 
-<p> With mandatory TLS encryption, the Postfix SMTP client will by
-default disable SSLv2. SSLv2 is used only when TLS encryption
-is optional. The mandatory TLS protocol list is specified via the
+<p> With mandatory and opportunistic TLS encryption, the Postfix
+SMTP client will by default disable SSLv2 and SSLv3. The mandatory
+TLS protocol list is specified via the
 smtp_tls_mandatory_protocols configuration parameter.  The corresponding
 smtp_tls_protocols parameter (Postfix &ge; 2.6) controls
 the SSL/TLS protocols used with opportunistic TLS. </p>
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 066c8713d..2fc082641 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20150719"
+#define MAIL_RELEASE_DATE	"20150720"
 #define MAIL_VERSION_NUMBER	"3.1"
 
 #ifdef SNAPSHOT
-- 
2.47.3

