Wietse Venema:
> Based on input from Victor I'll put out a 2.10 development release
> that makes the minimum changes to support the new OpenSSL protocols.
> This may then be back-ported to earlier Postfix releases if needed.
>
> Meanwhile, Victor will start work on future-proofing Postfix, such
> that it will be prepared for future OpenSSL releases that introduce
> new features that Postfix doesn't know about. That code will most
> likely be fielded as a non-production release, followed by regular
> development releases.
This is tested and uploaded as postfix-2.10-20120422.
Example:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to disable the new protocols for broken
sites only, with smtp_tls_policy_maps entries.
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
(caution: note the use of ":" instead of comma or space).
Wietse
