On Wed, Apr 25, 2012 at 06:25:06AM -0500, Noel Jones wrote:
> On 4/25/2012 4:07 AM, Mark Alan wrote:
>
> > While the postfix updates do not get into into each distribution
> > repositories, should we use the following?
> >
> > postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2'
> > postconf -e 'smtp_tls_protocols = !SSLv2, !TLSv1.2'
>
> It seems this is a reasonable setting for sites that have upgraded
> both openssl and postfix to latest versions.
>
> Unfortunately, the !TLSv1.2 option will give an "unknown protocol"
> error unless BOTH your postfix knows about that option, AND postfix
> is linked with an openssl version that has that option. End result
> is this can't be a global postfix default setting, and can't be used
> on older postfix versions. There is no workaround for this.
This is not nearly so dire. Very few users are Using OpenSSL 1.0.1,
or 1.0.1a. Most OS distributions are still on 0.9.8x or 1.0.0.
By the time these distributions upgrade to 1.0.1a and ship a Postfix
linked with that OpenSSL version, perhaps the interoperability
issues will be resolved in either OpenSSL, the problem peers, or
both.
So the work-around is a not a suitable Postfix default setting, it
is just a work-around, and as such needs to by applied only by
the brave souls (running bleeding edge OpenSSL libraries) who
need it.
I'm (slowly, not much time for this) working on a general mechanism
to allow disabling of *future* TLS versions, without new Postfix
code, but this may well not be needed for a decade or more, there
is not much evidence of a TLS 1.3 in the making, and standards
groups take years to product a new standard and further years elapse
before these standards are implemented.
The immediate work-around is sufficient for a long time, and I
expect that the interoperability issues in TLS will be addressed
by the major platforms.
--
Viktor.
