I've seen some reports that qpsmtp fails some PCI compliance testing because it can be accessed via SSLv2.
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard http://bugs.contribs.org/show_bug.cgi?id=6141 Here's a simple, and untested, patch - someone might care to do something more elaborate to allow choice of TLSv1 or SSLv3 (unfortunately IO::Socket::SSL doesn't seem to allow disable of just SSLv2). --- qpsmtpd-0.83/plugins/tls.orig 2010-07-22 22:04:00.000000000 -0400 +++ qpsmtpd-0.83/plugins/tls 2010-07-22 22:09:35.000000000 -0400 @@ -80,6 +80,7 @@ local $^W; # this bit is very noisy... my $ssl_ctx = IO::Socket::SSL::SSL_Context->new( SSL_use_cert => 1, + SSL_version => 'TLSv1', SSL_cert_file => $self->tls_cert, SSL_key_file => $self->tls_key, SSL_ca_file => $self->tls_ca, @@ -176,6 +177,7 @@ my $tlssocket = IO::Socket::SSL->new_from_fd( fileno(STDIN), '+>', SSL_use_cert => 1, + SSL_version => 'TLSv1', SSL_cert_file => $self->tls_cert, SSL_key_file => $self->tls_key, SSL_ca_file => $self->tls_ca,
