Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Resolve conflicts from last import.

Browse Source
This commit is contained in:
tron 2012-06-09 11:32:19 +00:00
parent b26355a362
commit 03f0339393
12 changed files with 208 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
external/ibm-public/postfix/dist/README_FILES/TLS_README vendored
View File

@ -542,11 +542,17 @@ The "smtpd_tls_ciphers" configuration parameter (Postfix >= 2.6) provides
control over the minimum cipher grade for opportunistic TLS. With Postfix <
2.6, the minimum opportunistic TLS cipher grade is always "export".
With mandatory TLS encryption, the Postfix SMTP server will by default only use
SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The
mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols
configuration parameter. The corresponding smtpd_tls_protocols parameter
(Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS.
With mandatory TLS encryption, the Postfix SMTP server will by default disable
SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
protocol list is specified via the smtpd_tls_mandatory_protocols configuration
parameter. The corresponding smtpd_tls_protocols parameter (Postfix >= 2.6)
controls the SSL/TLS protocols used with opportunistic TLS.
Note that the OpenSSL library only supports protocol exclusion (not inclusion).
For this reason, Postfix can exclude only protocols that are known at the time
the Postfix software is written. If new protocols are added to the OpenSSL
library, they cannot be excluded without corresponding changes to the Postfix
source code.
For a server that is not a public Internet MX host, Postfix (>= 2.3) supports
configurations with no server certificates that use oonnllyy the anonymous ciphers.
@ -561,9 +567,10 @@ Example, MSA that requires TLSv1, not SSLv2 or SSLv3, with high grade ciphers:
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_protocols = TLSv1
# Also available with Postfix >= 2.5:
# Preferred form with Postfix >= 2.5:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Alternative form.
smtpd_tls_mandatory_protocols = TLSv1
If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH)
key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead
@ -594,9 +601,9 @@ Examples:
smtpd_tls_eecdh_grade = strong
Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS
servers to preempt the TLS client's cipher preference list. This is only
possible with SSLv3, as in SSLv2 the client chooses the cipher from a list
supplied by the server.
servers to preempt the TLS client's cipher preference list. This is possible
only with SSLv3 and later, as in SSLv2 the client chooses the cipher from a
list supplied by the server.
By default, the OpenSSL server selects the client's most preferred cipher that
the server supports. With SSLv3 and later, the server may choose its own most
@ -1048,9 +1055,9 @@ policy settings.
Examples:
In the example below, traffic to example.com and its sub-domains via the
corresponding MX hosts always uses TLS. The protocol version will be "SSLv3" or
"TLSv1" (the default setting of smtp_tls_mandatory_protocols excludes "SSLv2").
Only high or medium strength (i.e. 128 bit or better) ciphers will be used by
corresponding MX hosts always uses TLS. The SSLv2 protocol will be disabled
(the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). Only
high- or medium-strength (i.e. 128 bit or better) ciphers will be used by
default for all "encrypt" security level sessions.
/etc/postfix/main.cf:
@ -1714,11 +1721,11 @@ The "smtp_tls_ciphers" configuration parameter (Postfix >= 2.6) provides
control over the minimum cipher grade for opportunistic TLS. With Postfix <
2.6, the minimum opportunistic TLS cipher grade is always "export".
With mandatory TLS encryption, the Postfix SMTP client will by default only use
SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The
mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols
configuration parameter. The corresponding smtp_tls_protocols parameter
(Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS.
With mandatory TLS encryption, the Postfix SMTP client will by default disable
SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
protocol list is specified via the smtp_tls_mandatory_protocols configuration
parameter. The corresponding smtp_tls_protocols parameter (Postfix >= 2.6)
controls the SSL/TLS protocols used with opportunistic TLS.
Example:
@ -1726,9 +1733,10 @@ Example:
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = RC4, MD5
smtp_tls_exclude_ciphers = aNULL
smtp_tls_mandatory_protocols = SSLv3, TLSv1
# Also available with Postfix >= 2.5:
# Preferred form with Postfix >= 2.5:
smtp_tls_mandatory_protocols = !SSLv2
# Alternative form.
smtp_tls_mandatory_protocols = SSLv3, TLSv1
# Also available with Postfix >= 2.6:
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2

30
external/ibm-public/postfix/dist/html/TLS_README.html vendored
View File

@ -790,12 +790,18 @@ Postfix &lt; 2.6, the minimum opportunistic TLS cipher grade is always
"export". </p>
<p> With mandatory TLS encryption, the Postfix SMTP server will by
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> configuration parameter. The
corresponding <a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> parameter (Postfix &ge; 2.6)
controls the SSL/TLS protocols used with opportunistic TLS. </p>
<p> Note that the OpenSSL library only supports protocol exclusion
(not inclusion). For this reason, Postfix can exclude only protocols
that are known at the time the Postfix software is written. If new
protocols are added to the OpenSSL library, they cannot be excluded
without corresponding changes to the Postfix source code. </p>
<p> For a server that is not a public Internet MX host, Postfix (&ge; 2.3)
supports configurations with no <a href="#server_cert_key">server
certificates</a> that use <b>only</b> the anonymous ciphers. This is
@ -813,9 +819,10 @@ ciphers: </p>
<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> = high
<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL, MD5
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = TLSv1
# Also available with Postfix &ge; 2.5:
# Preferred form with Postfix &ge; 2.5:
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
# Alternative form.
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = TLSv1
</pre>
</blockquote>
@ -859,8 +866,8 @@ secure for most situations. </p>
<p> Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later
allows TLS servers to preempt the TLS client's cipher preference list.
This is only possible with SSLv3, as in SSLv2 the client chooses the
cipher from a list supplied by the server. </p>
This is possible only with SSLv3 and later, as in SSLv2 the client
chooses the cipher from a list supplied by the server. </p>
<p> By default, the OpenSSL server selects the client's most preferred
cipher that the server supports. With SSLv3 and later, the server
@ -1455,9 +1462,9 @@ should use the new TLS policy settings. </p>
<p> Examples: </p>
<p> In the example below, traffic to <i>example.com</i> and its sub-domains
via the corresponding MX hosts always uses TLS. The protocol version will be
"SSLv3" or "TLSv1" (the default setting of <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or
via the corresponding MX hosts always uses TLS. The SSLv2 protocol
will be disabled (the default setting of <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or
better) ciphers will be used by default for all "encrypt" security
level sessions. </p>
@ -2306,7 +2313,7 @@ Postfix &lt; 2.6, the minimum opportunistic TLS cipher grade is always
"export". </p>
<p> With mandatory TLS encryption, the Postfix SMTP client will by
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> configuration parameter. The corresponding
<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> parameter (Postfix &ge; 2.6) controls
@ -2320,9 +2327,10 @@ the SSL/TLS protocols used with opportunistic TLS. </p>
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = medium
<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> = RC4, MD5
<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = aNULL
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = SSLv3, TLSv1
# Also available with Postfix &ge; 2.5:
# Preferred form with Postfix &ge; 2.5:
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2
# Alternative form.
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = SSLv3, TLSv1
# Also available with Postfix &ge; 2.6:
<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = export
<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2

57
external/ibm-public/postfix/dist/html/postconf.5.html vendored
View File

@ -4582,7 +4582,7 @@ configuration parameter. See there for details. </p>
</DD>
<DT><b><a name="lmtp_tls_mandatory_protocols">lmtp_tls_mandatory_protocols</a>
(default: SSLv3, TLSv1)</b></DT><DD>
(default: !SSLv2)</b></DT><DD>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
configuration parameter. See there for details. </p>
@ -10692,7 +10692,7 @@ attribute. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_ma
</DD>
<DT><b><a name="smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
(default: SSLv3, TLSv1)</b></DT><DD>
(default: !SSLv2)</b></DT><DD>
<p> List of SSL/TLS protocols that the Postfix SMTP client will use with
mandatory TLS encryption. In <a href="postconf.5.html">main.cf</a> the values are separated by
@ -10701,12 +10701,19 @@ whitespace, commas or colons. In the policy table "protocols" attribute
empty value means allow all protocols. The valid protocol names, (see
<b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and "TLSv1". </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> With Postfix &ge; 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting
"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2". To exclude both SSLv2 and
SSLv3 set "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still
supported; use the form you find more intuitive. </p>
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that by
@ -10719,9 +10726,10 @@ and higher. </p>
<p> Example: </p>
<pre>
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = TLSv1
# Alternative form with Postfix &ge; 2.5:
# Preferred form with Postfix &ge; 2.5:
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
# Alternative form.
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = TLSv1
</pre>
<p> This feature is available in Postfix 2.3 and later. </p>
@ -10977,14 +10985,18 @@ separator is colon. An empty value means allow all protocols. The valid
protocol names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3"
and "TLSv1". </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms
for excluding protocols not known at compile-time. If Postfix is linked
against an OpenSSL library that supports additional protocol versions,
they cannot be excluded using either syntax. </p>
include, rather than protocols to exclude, is supported, but not
recommended. The exclusion form more closely matches the behaviour
when the OpenSSL library is newer than Postfix. </p>
<p> Example: </p>
<pre>
@ -14436,7 +14448,7 @@ works in addition to the exclusions listed with <a href="postconf.5.html#smtpd_t
</DD>
<DT><b><a name="smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>
(default: SSLv3, TLSv1)</b></DT><DD>
(default: !SSLv2)</b></DT><DD>
<p> The SSL/TLS protocols accepted by the Postfix SMTP server with
mandatory TLS encryption. If the list is empty, the server supports all
@ -14445,12 +14457,19 @@ of protocol
names separated by whitespace, commas or colons. The supported protocol
names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> With Postfix &ge; 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting
"<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2". To exclude both SSLv2 and
SSLv3 set "<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still
supported, use the form you find more intuitive. </p>
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that
@ -14484,14 +14503,18 @@ names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and
"TLSv1". In <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> table entries, "protocols" attribute
values are separated by a colon. </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms
for excluding protocols not known at compile-time. If Postfix is linked
against an OpenSSL library that supports additional protocol versions,
they cannot be excluded using either syntax. </p>
include, rather than protocols to exclude, is supported, but not
recommended. The exclusion form more closely matches the behaviour
when the OpenSSL library is newer than Postfix. </p>
<p> Example: </p>
<pre>

57
external/ibm-public/postfix/dist/man/man5/postconf.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: postconf.5,v 1.8 2011/07/31 10:05:04 tron Exp $
.\" $NetBSD: postconf.5,v 1.9 2012/06/09 11:32:19 tron Exp $
.\"
.TH POSTCONF 5
.SH NAME
@ -2487,7 +2487,7 @@ The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
configuration parameter. See there for details.
.PP
This feature is available in Postfix 2.3 and later.
.SH lmtp_tls_mandatory_protocols (default: SSLv3, TLSv1)
.SH lmtp_tls_mandatory_protocols (default: !SSLv2)
The LMTP-specific version of the smtp_tls_mandatory_protocols
configuration parameter. See there for details.
.PP
@ -6361,7 +6361,7 @@ specified on a per-destination basis via the TLS policy "exclude"
attribute. See smtp_tls_policy_maps for notes and examples.
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_mandatory_protocols (default: SSLv3, TLSv1)
.SH smtp_tls_mandatory_protocols (default: !SSLv2)
List of SSL/TLS protocols that the Postfix SMTP client will use with
mandatory TLS encryption. In main.cf the values are separated by
whitespace, commas or colons. In the policy table "protocols" attribute
@ -6369,12 +6369,18 @@ whitespace, commas or colons. In the policy table "protocols" attribute
empty value means allow all protocols. The valid protocol names, (see
\\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1".
.PP
Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled.
.PP
With Postfix >= 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting
"smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still
supported; use the form you find more intuitive.
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
.PP
Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that by
@ -6389,9 +6395,10 @@ Example:
.nf
.na
.ft C
smtp_tls_mandatory_protocols = TLSv1
# Alternative form with Postfix >= 2.5:
# Preferred form with Postfix >= 2.5:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
# Alternative form.
smtp_tls_mandatory_protocols = TLSv1
.fi
.ad
.ft R
@ -6624,14 +6631,18 @@ separator is colon. An empty value means allow all protocols. The valid
protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3"
and "TLSv1".
.PP
Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled.
.PP
To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms
for excluding protocols not known at compile-time. If Postfix is linked
against an OpenSSL library that supports additional protocol versions,
they cannot be excluded using either syntax.
include, rather than protocols to exclude, is supported, but not
recommended. The exclusion form more closely matches the behaviour
when the OpenSSL library is newer than Postfix.
.PP
Example:
.nf
@ -9211,7 +9222,7 @@ works in addition to the exclusions listed with smtpd_tls_exclude_ciphers
(see there for syntax details).
.PP
This feature is available in Postfix 2.3 and later.
.SH smtpd_tls_mandatory_protocols (default: SSLv3, TLSv1)
.SH smtpd_tls_mandatory_protocols (default: !SSLv2)
The SSL/TLS protocols accepted by the Postfix SMTP server with
mandatory TLS encryption. If the list is empty, the server supports all
available SSL/TLS protocol versions. A non-empty value is a list
@ -9219,12 +9230,18 @@ of protocol
names separated by whitespace, commas or colons. The supported protocol
names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
.PP
Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled.
.PP
With Postfix >= 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting
"smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still
supported, use the form you find more intuitive.
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
.PP
Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that
@ -9256,14 +9273,18 @@ names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and
"TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
values are separated by a colon.
.PP
Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled.
.PP
To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms
for excluding protocols not known at compile-time. If Postfix is linked
against an OpenSSL library that supports additional protocol versions,
they cannot be excluded using either syntax.
include, rather than protocols to exclude, is supported, but not
recommended. The exclusion form more closely matches the behaviour
when the OpenSSL library is newer than Postfix.
.PP
Example:
.nf

30
external/ibm-public/postfix/dist/proto/TLS_README.html vendored
View File

@ -790,12 +790,18 @@ Postfix &lt; 2.6, the minimum opportunistic TLS cipher grade is always
"export". </p>
<p> With mandatory TLS encryption, the Postfix SMTP server will by
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the
smtpd_tls_mandatory_protocols configuration parameter. The
corresponding smtpd_tls_protocols parameter (Postfix &ge; 2.6)
controls the SSL/TLS protocols used with opportunistic TLS. </p>
<p> Note that the OpenSSL library only supports protocol exclusion
(not inclusion). For this reason, Postfix can exclude only protocols
that are known at the time the Postfix software is written. If new
protocols are added to the OpenSSL library, they cannot be excluded
without corresponding changes to the Postfix source code. </p>
<p> For a server that is not a public Internet MX host, Postfix (&ge; 2.3)
supports configurations with no <a href="#server_cert_key">server
certificates</a> that use <b>only</b> the anonymous ciphers. This is
@ -813,9 +819,10 @@ ciphers: </p>
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_protocols = TLSv1
# Also available with Postfix &ge; 2.5:
# Preferred form with Postfix &ge; 2.5:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Alternative form.
smtpd_tls_mandatory_protocols = TLSv1
</pre>
</blockquote>
@ -859,8 +866,8 @@ secure for most situations. </p>
<p> Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later
allows TLS servers to preempt the TLS client's cipher preference list.
This is only possible with SSLv3, as in SSLv2 the client chooses the
cipher from a list supplied by the server. </p>
This is possible only with SSLv3 and later, as in SSLv2 the client
chooses the cipher from a list supplied by the server. </p>
<p> By default, the OpenSSL server selects the client's most preferred
cipher that the server supports. With SSLv3 and later, the server
@ -1455,9 +1462,9 @@ should use the new TLS policy settings. </p>
<p> Examples: </p>
<p> In the example below, traffic to <i>example.com</i> and its sub-domains
via the corresponding MX hosts always uses TLS. The protocol version will be
"SSLv3" or "TLSv1" (the default setting of smtp_tls_mandatory_protocols
excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or
via the corresponding MX hosts always uses TLS. The SSLv2 protocol
will be disabled (the default setting of smtp_tls_mandatory_protocols
excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or
better) ciphers will be used by default for all "encrypt" security
level sessions. </p>
@ -2306,7 +2313,7 @@ Postfix &lt; 2.6, the minimum opportunistic TLS cipher grade is always
"export". </p>
<p> With mandatory TLS encryption, the Postfix SMTP client will by
default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the
smtp_tls_mandatory_protocols configuration parameter. The corresponding
smtp_tls_protocols parameter (Postfix &ge; 2.6) controls
@ -2320,9 +2327,10 @@ the SSL/TLS protocols used with opportunistic TLS. </p>
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = RC4, MD5
smtp_tls_exclude_ciphers = aNULL
smtp_tls_mandatory_protocols = SSLv3, TLSv1
# Also available with Postfix &ge; 2.5:
# Preferred form with Postfix &ge; 2.5:
smtp_tls_mandatory_protocols = !SSLv2
# Alternative form.
smtp_tls_mandatory_protocols = SSLv3, TLSv1
# Also available with Postfix &ge; 2.6:
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2

57
external/ibm-public/postfix/dist/proto/postconf.proto vendored
View File

@ -10378,7 +10378,7 @@ configurations in environments where DNS security is not assured. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
%PARAM smtp_tls_mandatory_protocols SSLv3, TLSv1
%PARAM smtp_tls_mandatory_protocols !SSLv2
<p> List of SSL/TLS protocols that the Postfix SMTP client will use with
mandatory TLS encryption. In main.cf the values are separated by
@ -10387,12 +10387,19 @@ whitespace, commas or colons. In the policy table "protocols" attribute
empty value means allow all protocols. The valid protocol names, (see
<b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and "TLSv1". </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> With Postfix &ge; 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting
"smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still
supported; use the form you find more intuitive. </p>
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that by
@ -10405,9 +10412,10 @@ TLS_README for more information about security levels. </p>
<p> Example: </p>
<pre>
smtp_tls_mandatory_protocols = TLSv1
# Alternative form with Postfix &ge; 2.5:
# Preferred form with Postfix &ge; 2.5:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
# Alternative form.
smtp_tls_mandatory_protocols = TLSv1
</pre>
<p> This feature is available in Postfix 2.3 and later. </p>
@ -10535,7 +10543,7 @@ configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
%PARAM lmtp_tls_mandatory_protocols SSLv3, TLSv1
%PARAM lmtp_tls_mandatory_protocols !SSLv2
<p> The LMTP-specific version of the smtp_tls_mandatory_protocols
configuration parameter. See there for details. </p>
@ -10556,7 +10564,7 @@ configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
%PARAM smtpd_tls_mandatory_protocols SSLv3, TLSv1
%PARAM smtpd_tls_mandatory_protocols !SSLv2
<p> The SSL/TLS protocols accepted by the Postfix SMTP server with
mandatory TLS encryption. If the list is empty, the server supports all
@ -10565,12 +10573,19 @@ of protocol
names separated by whitespace, commas or colons. The supported protocol
names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> With Postfix &ge; 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting
"smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is still
supported, use the form you find more intuitive. </p>
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
matches the behaviour when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that
@ -11579,14 +11594,18 @@ separator is colon. An empty value means allow all protocols. The valid
protocol names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3"
and "TLSv1". </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms
for excluding protocols not known at compile-time. If Postfix is linked
against an OpenSSL library that supports additional protocol versions,
they cannot be excluded using either syntax. </p>
include, rather than protocols to exclude, is supported, but not
recommended. The exclusion form more closely matches the behaviour
when the OpenSSL library is newer than Postfix. </p>
<p> Example: </p>
<pre>
@ -11609,14 +11628,18 @@ names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and
"TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
values are separated by a colon. </p>
<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
and "TLSv1.2". If an older Postfix version is linked against OpenSSL
1.0.1 or later, these, or any other new protocol versions, are
unconditionally enabled. </p>
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, is supported, but not recommended. OpenSSL provides no mechanisms
for excluding protocols not known at compile-time. If Postfix is linked
against an OpenSSL library that supports additional protocol versions,
they cannot be excluded using either syntax. </p>
include, rather than protocols to exclude, is supported, but not
recommended. The exclusion form more closely matches the behaviour
when the OpenSSL library is newer than Postfix. </p>
<p> Example: </p>
<pre>

8
external/ibm-public/postfix/dist/src/global/mail_params.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: mail_params.h,v 1.7 2011/03/23 19:10:44 tron Exp $ */
/* $NetBSD: mail_params.h,v 1.8 2012/06/09 11:32:20 tron Exp $ */
#ifndef _MAIL_PARAMS_H_INCLUDED_
#define _MAIL_PARAMS_H_INCLUDED_
@ -1251,7 +1251,7 @@ extern char *var_smtpd_tls_CApath;
extern char *var_smtpd_tls_proto;
#define VAR_SMTPD_TLS_MAND_PROTO "smtpd_tls_mandatory_protocols"
#define DEF_SMTPD_TLS_MAND_PROTO "SSLv3, TLSv1"
#define DEF_SMTPD_TLS_MAND_PROTO "!SSLv2"
extern char *var_smtpd_tls_mand_proto;
#define VAR_SMTPD_TLS_CIPH "smtpd_tls_ciphers"
@ -1464,9 +1464,9 @@ extern char *var_smtp_tls_policy;
extern char *var_smtp_tls_proto;
#define VAR_SMTP_TLS_MAND_PROTO "smtp_tls_mandatory_protocols"
#define DEF_SMTP_TLS_MAND_PROTO "SSLv3, TLSv1"
#define DEF_SMTP_TLS_MAND_PROTO "!SSLv2"
#define VAR_LMTP_TLS_MAND_PROTO "lmtp_tls_mandatory_protocols"
#define DEF_LMTP_TLS_MAND_PROTO "SSLv3, TLSv1"
#define DEF_LMTP_TLS_MAND_PROTO "!SSLv2"
extern char *var_smtp_tls_mand_proto;
#define VAR_SMTP_TLS_VFY_CMATCH "smtp_tls_verify_cert_match"

2
external/ibm-public/postfix/dist/src/local/unknown.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: unknown.c,v 1.2 2012/02/17 09:17:22 tron Exp $ */
/* $NetBSD: unknown.c,v 1.3 2012/06/09 11:32:20 tron Exp $ */
/*++
/* NAME

4
external/ibm-public/postfix/dist/src/smtp/smtp.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: smtp.c,v 1.4 2011/03/02 19:56:39 tron Exp $ */
/* $NetBSD: smtp.c,v 1.5 2012/06/09 11:32:20 tron Exp $ */
/*++
/* NAME
@ -350,7 +350,7 @@
/* Optional lookup tables with the Postfix SMTP client TLS security
/* policy by next-hop destination; when a non-empty value is specified,
/* this overrides the obsolete smtp_tls_per_site parameter.
/* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
/* .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR"
/* List of SSL/TLS protocols that the Postfix SMTP client will use with
/* mandatory TLS encryption.
/* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"

4
external/ibm-public/postfix/dist/src/smtpd/smtpd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: smtpd.c,v 1.7 2011/10/28 07:12:17 tron Exp $ */
/* $NetBSD: smtpd.c,v 1.8 2012/06/09 11:32:20 tron Exp $ */
/*++
/* NAME
@ -359,7 +359,7 @@
/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
/* Additional list of ciphers or cipher types to exclude from the
/* SMTP server cipher list at mandatory TLS security levels.
/* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
/* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
/* The SSL/TLS protocols accepted by the Postfix SMTP server with
/* mandatory TLS encryption.
/* .IP "\fBsmtpd_tls_received_header (no)\fR"

10
external/ibm-public/postfix/dist/src/tls/tls_client.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: tls_client.c,v 1.4 2011/03/02 19:56:39 tron Exp $ */
/* $NetBSD: tls_client.c,v 1.5 2012/06/09 11:32:20 tron Exp $ */
/*++
/* NAME
@ -785,6 +785,12 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
msg_info("%s: TLS cipher list \"%s\"", props->namaddr, cipher_list);
vstring_sprintf_append(myserverid, "&c=%s", cipher_list);
/*
* Finally, salt the session key with the OpenSSL library version,
* (run-time, rather than compile-time, just in case that matters).
*/
vstring_sprintf_append(myserverid, "&l=%ld", (long) SSLeay());
/*
* Allocate a new TLScontext for the new connection and get an SSL
* structure. Add the location of TLScontext to the SSL to later retrieve
@ -817,6 +823,8 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
if (protomask != 0)
SSL_set_options(TLScontext->con,
((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
| ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
| ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));

7
external/ibm-public/postfix/dist/src/tls/tls_server.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: tls_server.c,v 1.4 2011/03/02 19:56:39 tron Exp $ */
/* $NetBSD: tls_server.c,v 1.5 2012/06/09 11:32:20 tron Exp $ */
/*++
/* NAME
@ -183,9 +183,10 @@ static SSL_SESSION *get_server_session_cb(SSL *ssl, unsigned char *session_id,
#define GEN_CACHE_ID(buf, id, len, service) \
do { \
buf = vstring_alloc(2 * (len) + 1 + strlen(service) + 3); \
buf = vstring_alloc(2 * (len + strlen(service))); \
hex_encode(buf, (char *) (id), (len)); \
vstring_sprintf_append(buf, "&s=%s", (service)); \
vstring_sprintf_append(buf, "&l=%ld", (long) SSLeay()); \
} while (0)
@ -399,6 +400,8 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
if (protomask != 0)
SSL_CTX_set_options(server_ctx,
((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
| ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
| ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));