|
|
572299 |
--- postfix-3.3.1/man/man5/postconf.5
|
|
|
572299 |
+++ postfix-3.3.2/man/man5/postconf.5
|
|
|
572299 |
@@ -8076,6 +8077,9 @@
|
|
|
572299 |
"SSLv3"). The latest patch levels of Postfix >= 2.6, and all
|
|
|
572299 |
versions of Postfix >= 2.10 can explicitly disable support for
|
|
|
572299 |
"TLSv1.1" or "TLSv1.2".
|
|
|
572299 |
+.PP
|
|
|
572299 |
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
|
|
|
572299 |
+this can be disabled, if need be, via "!TLSv1.3".
|
|
|
572299 |
.PP
|
|
|
572299 |
At the dane and
|
|
|
572299 |
dane\-only security
|
|
|
572299 |
@@ -8391,6 +8397,9 @@
|
|
|
572299 |
and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
|
|
|
572299 |
versions of Postfix >= 2.10 can explicitly disable support for
|
|
|
572299 |
"TLSv1.1" or "TLSv1.2"
|
|
|
572299 |
+.PP
|
|
|
572299 |
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
|
|
|
572299 |
+this can be disabled, if need be, via "!TLSv1.3".
|
|
|
572299 |
.PP
|
|
|
572299 |
To include a protocol list its name, to exclude it, prefix the name
|
|
|
572299 |
with a "!" character. To exclude SSLv2 for opportunistic TLS set
|
|
|
572299 |
@@ -11669,6 +11679,9 @@
|
|
|
572299 |
versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
|
|
|
572299 |
"TLSv1.2".
|
|
|
572299 |
.PP
|
|
|
572299 |
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
|
|
|
572299 |
+this can be disabled, if need be, via "!TLSv1.3".
|
|
|
572299 |
+.PP
|
|
|
572299 |
Example:
|
|
|
572299 |
.PP
|
|
|
572299 |
.nf
|
|
|
572299 |
@@ -11697,6 +11711,9 @@
|
|
|
572299 |
and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
|
|
|
572299 |
versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
|
|
|
572299 |
"TLSv1.2".
|
|
|
572299 |
+.PP
|
|
|
572299 |
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
|
|
|
572299 |
+this can be disabled, if need be, via "!TLSv1.3".
|
|
|
572299 |
.PP
|
|
|
572299 |
To include a protocol list its name, to exclude it, prefix the name
|
|
|
572299 |
with a "!" character. To exclude SSLv2 for opportunistic TLS set
|
|
|
572299 |
--- postfix-3.3.1/proto/postconf.proto
|
|
|
572299 |
+++ postfix-3.3.2/proto/postconf.proto
|
|
|
572299 |
@@ -11208,6 +11210,9 @@
|
|
|
572299 |
"SSLv3"). The latest patch levels of Postfix ≥ 2.6, and all
|
|
|
572299 |
versions of Postfix ≥ 2.10 can explicitly disable support for
|
|
|
572299 |
"TLSv1.1" or "TLSv1.2".
|
|
|
572299 |
+
|
|
|
572299 |
+ OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
|
|
|
572299 |
+this can be disabled, if need be, via "!TLSv1.3".
|
|
|
572299 |
|
|
|
572299 |
At the dane and
|
|
|
572299 |
dane-only security
|
|
|
572299 |
@@ -11405,6 +11411,9 @@
|
|
|
572299 |
disabled. The latest patch levels of Postfix ≥ 2.6, and all
|
|
|
572299 |
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
|
|
|
572299 |
"TLSv1.2".
|
|
|
572299 |
+
|
|
|
572299 |
+ OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
|
|
|
572299 |
+this can be disabled, if need be, via "!TLSv1.3".
|
|
|
572299 |
|
|
|
572299 |
Example:
|
|
|
572299 |
|
|
|
572299 |
@@ -12561,6 +12573,9 @@
|
|
|
572299 |
and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all
|
|
|
572299 |
versions of Postfix ≥ 2.10 can explicitly disable support for
|
|
|
572299 |
"TLSv1.1" or "TLSv1.2"
|
|
|
572299 |
+
|
|
|
572299 |
+ OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
|
|
|
572299 |
+this can be disabled, if need be, via "!TLSv1.3".
|
|
|
572299 |
|
|
|
572299 |
To include a protocol list its name, to exclude it, prefix the name
|
|
|
572299 |
with a "!" character. To exclude SSLv2 for opportunistic TLS set
|
|
|
572299 |
@@ -12593,6 +12609,9 @@
|
|
|
572299 |
and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all
|
|
|
572299 |
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
|
|
|
572299 |
"TLSv1.2".
|
|
|
572299 |
+
|
|
|
572299 |
+ OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
|
|
|
572299 |
+this can be disabled, if need be, via "!TLSv1.3".
|
|
|
572299 |
|
|
|
572299 |
To include a protocol list its name, to exclude it, prefix the name
|
|
|
572299 |
with a "!" character. To exclude SSLv2 for opportunistic TLS set
|
|
|
572299 |
--- postfix-3.3.1/src/tls/tls.h
|
|
|
572299 |
+++ postfix-3.3.2/src/tls/tls.h
|
|
|
572299 |
@@ -372,10 +415,15 @@
|
|
|
572299 |
#define SSL_OP_NO_TLSv1_2 0L /* Noop */
|
|
|
572299 |
#endif
|
|
|
572299 |
|
|
|
572299 |
-#ifdef SSL_TXT_TLSV1_3
|
|
|
572299 |
+ /*
|
|
|
572299 |
+ * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our
|
|
|
572299 |
+ * own.
|
|
|
572299 |
+ */
|
|
|
572299 |
+#define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3"
|
|
|
572299 |
+
|
|
|
572299 |
+#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3)
|
|
|
572299 |
#define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */
|
|
|
572299 |
#else
|
|
|
572299 |
-#define SSL_TXT_TLSV1_3 "TLSv1.3"
|
|
|
572299 |
#define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */
|
|
|
572299 |
#undef SSL_OP_NO_TLSv1_3
|
|
|
572299 |
#define SSL_OP_NO_TLSv1_3 0L /* Noop */
|
|
|
572299 |
@@ -383,7 +431,7 @@
|
|
|
572299 |
|
|
|
572299 |
#define TLS_KNOWN_PROTOCOLS \
|
|
|
572299 |
( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
|
|
|
572299 |
- | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
|
|
|
572299 |
+ | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 )
|
|
|
572299 |
#define TLS_SSL_OP_PROTOMASK(m) \
|
|
|
572299 |
((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \
|
|
|
572299 |
| (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \
|
|
|
572299 |
--- postfix-3.3.1/src/tls/tls_misc.c
|
|
|
572299 |
+++ postfix-3.3.2/src/tls/tls_misc.c
|
|
|
572299 |
@@ -279,7 +306,7 @@
|
|
|
572299 |
SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
|
|
|
572299 |
SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
|
|
|
572299 |
SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
|
|
|
572299 |
- SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
|
|
|
572299 |
+ TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
|
|
|
572299 |
0, TLS_PROTOCOL_INVALID,
|
|
|
572299 |
};
|
|
|
572299 |
|