--- postfix-3.3.1/man/man5/postconf.5 +++ postfix-3.3.2/man/man5/postconf.5 @@ -8076,6 +8077,9 @@ "SSLv3"). The latest patch levels of Postfix >= 2.6, and all versions of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2". +.PP +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +this can be disabled, if need be, via "!TLSv1.3". .PP At the dane and dane\-only security @@ -8391,6 +8397,9 @@ and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2" +.PP +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +this can be disabled, if need be, via "!TLSv1.3". .PP To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set @@ -11669,6 +11679,9 @@ versions of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2". .PP +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +this can be disabled, if need be, via "!TLSv1.3". +.PP Example: .PP .nf @@ -11697,6 +11711,9 @@ and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2". +.PP +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +this can be disabled, if need be, via "!TLSv1.3". .PP To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set --- postfix-3.3.1/proto/postconf.proto +++ postfix-3.3.2/proto/postconf.proto @@ -11208,6 +11210,9 @@ "SSLv3"). The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".

+ +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +this can be disabled, if need be, via "!TLSv1.3".

At the dane and dane-only security @@ -11405,6 +11411,9 @@ disabled. The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".

+ +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +this can be disabled, if need be, via "!TLSv1.3".

Example:

@@ -12561,6 +12573,9 @@ and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2"

+ +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +this can be disabled, if need be, via "!TLSv1.3".

To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set @@ -12593,6 +12609,9 @@ and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".

+ +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +this can be disabled, if need be, via "!TLSv1.3".

To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set --- postfix-3.3.1/src/tls/tls.h +++ postfix-3.3.2/src/tls/tls.h @@ -372,10 +415,15 @@ #define SSL_OP_NO_TLSv1_2 0L /* Noop */ #endif -#ifdef SSL_TXT_TLSV1_3 + /* + * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our + * own. + */ +#define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3" + +#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3) #define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */ #else -#define SSL_TXT_TLSV1_3 "TLSv1.3" #define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */ #undef SSL_OP_NO_TLSv1_3 #define SSL_OP_NO_TLSv1_3 0L /* Noop */ @@ -383,7 +431,7 @@ #define TLS_KNOWN_PROTOCOLS \ ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ - | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 ) + | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 ) #define TLS_SSL_OP_PROTOMASK(m) \ ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \ | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \ --- postfix-3.3.1/src/tls/tls_misc.c +++ postfix-3.3.2/src/tls/tls_misc.c @@ -279,7 +306,7 @@ SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1, SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1, SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2, - SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3, + TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3, 0, TLS_PROTOCOL_INVALID, };