On Sun, Apr 22, 2012 at 03:12:26PM -0400, Wietse Venema wrote:
> > Proposed patch attached.
>
> That will be a solution for Postfix 2.10.
>
> Meanwhile, for earlier Postfix releases, how much of the problem
> can be solved by changing from:
>
> mumble_tls_mandatory_protocols = SSLv3, TLSv1
>
> (i.e. the current default) to:
>
> mumble_tls_mandatory_protocols = !SSLv2
The two defaults are equivalent when the protocols known to Postfix
are just SSLv2, SSLv3 and TLSv1 (even if the SSL library implements
additional protocols). Either way, Postfix sets the SSL_OP_NO_SSLv2
flag.
This default, would however also disable TLSv1_1 and TLSv1_2 in
with the 2.10 patch that adds knowledge of those protocols to Postfix,
so it made sense to change the default to be "!SSLv2", which is what
it really means.
So, sure, we can change the default to the equivalent "!SSLv2" in
earlier releases if that simplifies documentation, or otherwise
aids in clarity of "postconf" output.
--
Viktor.
