On Thu, Mar 03, 2016 at 05:14:30PM +0100, Marc Patermann wrote:
> Am 01.03.2016 um 18:16 Uhr schrieb Viktor Dukhovni:
>
> >Some of the servers that expose TLS to cross-protocol DROWN attacks
> >via SSLv2 are MTAs running Postfix. If you're using an older
> >Postfix release (released prior to July 20 2015), or you've explicitly
> >configured TLS settings that may have enabled SSLv2, please update
> >your configuration as suggested below:
>
> what is the oldest version of posfix (and openssl) needed to fix the problem
> by this configurations changes?
Postfix 2.6 and later, with the recommended settings is sufficient,
but it is recommended that you also deploy OpenSSL 1.0.1s or 1.0.2g,
or your O/S vendor's "equivalent" update.
It is sadly common to selectively backport fixes without changing
the version number, so look for updates that address the DROWN-related
CVEs: CVE-2016-0800, CVE-2016-0703, CVE-2015-3197.
--
Viktor.
