Re: STARTTLS problems
- On Wed, Apr 25, 2012 at 06:25:06AM -0500, Noel Jones wrote:
> On 4/25/2012 4:07 AM, Mark Alan wrote:This is not nearly so dire. Very few users are Using OpenSSL 1.0.1,
> > While the postfix updates do not get into into each distribution
> > repositories, should we use the following?
> > postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2'
> > postconf -e 'smtp_tls_protocols = !SSLv2, !TLSv1.2'
> It seems this is a reasonable setting for sites that have upgraded
> both openssl and postfix to latest versions.
> Unfortunately, the !TLSv1.2 option will give an "unknown protocol"
> error unless BOTH your postfix knows about that option, AND postfix
> is linked with an openssl version that has that option. End result
> is this can't be a global postfix default setting, and can't be used
> on older postfix versions. There is no workaround for this.
or 1.0.1a. Most OS distributions are still on 0.9.8x or 1.0.0.
By the time these distributions upgrade to 1.0.1a and ship a Postfix
linked with that OpenSSL version, perhaps the interoperability
issues will be resolved in either OpenSSL, the problem peers, or
So the work-around is a not a suitable Postfix default setting, it
is just a work-around, and as such needs to by applied only by
the brave souls (running bleeding edge OpenSSL libraries) who
I'm (slowly, not much time for this) working on a general mechanism
to allow disabling of *future* TLS versions, without new Postfix
code, but this may well not be needed for a decade or more, there
is not much evidence of a TLS 1.3 in the making, and standards
groups take years to product a new standard and further years elapse
before these standards are implemented.
The immediate work-around is sufficient for a long time, and I
expect that the interoperability issues in TLS will be addressed
by the major platforms.