[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-2.9.2.html]
Postfix stable release 2.9.2, and legacy releases 2.8.10, 2.7.9,
2.6.15 are available. They contains workarounds that are already
part of Postfix 2.10.
These releases add support to turn off the TLSv1.1 and TLSv1.2
protocols. Introduced with OpenSSL version 1.0.1, these protocols
are known to cause inter-operability problems, for example with
some hotmail services.
The radical workaround is to temporarily turn off problematic
protocols globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic
protocols for broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
Notes:
* Note the use of ":" instead of comma or space. Also, note that
there is NO space around the "=" in "protocols=".
* The smtp_tls_policy_maps lookup key must match the "next-hop"
destination that is given to the Postfix SMTP client. If you
override the next-hop destination with transport_maps, relayhost,
sender_dependent_relayhost_maps, or otherwise, you need to
specify the same destination for the smtp_tls_policy_maps lookup
key.
You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.
Wietse
