~ubuntu-branches/debian/sid/postfix/sid

« back to all changes in this revision

Viewing changes to man/man5/postconf.5

Committer: Package Import Robot
Author(s): LaMont Jones
Date: 2012-05-29 20:15:26 UTC
mfrom: (1.1.35)
Revision ID: package-import@ubuntu.com-20120529201526-kf0ev58ng2j7x1en

Tags: 2.9.3-1

New upstream

files modified:
HISTORY

README_FILES/TLS_README

RELEASE_NOTES

debian/changelog

debian/control

html/TLS_README.html

html/lmtp.8.html

html/postconf.5.html

html/smtp.8.html

html/smtpd.8.html

man/man5/postconf.5

man/man8/smtp.8

man/man8/smtpd.8

proto/TLS_README.html

proto/postconf.proto

src/dnsblog/dnsblog.c

src/global/mail_params.h

src/global/mail_version.h

src/postconf/postconf_user.c

src/postqueue/Makefile.in

src/postqueue/postqueue.c

src/smtp/smtp.c

src/smtpd/smtpd.c

src/tls/tls.h

src/tls/tls_client.c

src/tls/tls_misc.c

src/tls/tls_server.c

src/util/events.c

src/xsasl/xsasl_cyrus.h

src/xsasl/xsasl_cyrus_client.c

src/xsasl/xsasl_cyrus_server.c

Show diffs side-by-side

added added

removed removed

man/man5/postconf.5

2639

configuration parameter. See there for details.

2640

.PP

2641

This feature is available in Postfix 2.3 and later.

2642

.SH lmtp_tls_mandatory_protocols (default: SSLv3, TLSv1)

2642

.SH lmtp_tls_mandatory_protocols (default: !SSLv2)

2643

The LMTP-specific version of the smtp_tls_mandatory_protocols

2644

configuration parameter. See there for details.

2645

.PP

6653

attribute. See smtp_tls_policy_maps for notes and examples.

6654

.PP

6655

This feature is available in Postfix 2.3 and later.

6656

.SH smtp_tls_mandatory_protocols (default: SSLv3, TLSv1)

6656

.SH smtp_tls_mandatory_protocols (default: !SSLv2)

6657

List of SSL/TLS protocols that the Postfix SMTP client will use with

6658

mandatory TLS encryption. In main.cf the values are separated by

6659

whitespace, commas or colons. In the policy table "protocols" attribute

6661

empty value means allow all protocols. The valid protocol names, (see

6662

\\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3" and "TLSv1".

6663

.PP

6664

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"

6665

and "TLSv1.2". If an older Postfix version is linked against OpenSSL

6666

1.0.1 or later, these, or any other new protocol versions, are

6667

unconditionally enabled.

6668

.PP

6664

6669

With Postfix >= 2.5 the parameter syntax is expanded to support

6665

6670

protocol exclusions. One can now explicitly exclude SSLv2 by setting

6666

6671

"smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and

6667

6672

SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing

6668

the protocols to include, rather than protocols to exclude, is still

6669

supported; use the form you find more intuitive.

6673

the protocols to include, rather than protocols to exclude, is

6674

supported, but not recommended. The exclusion form more closely

6675

matches the behaviour when the OpenSSL library is newer than Postfix.

6670

6676

.PP

6671

6677

Since SSL version 2 has known protocol weaknesses and is now

6672

6678

deprecated, the default setting excludes "SSLv2". This means that by

6681

6687

.nf

6682

6688

.na

6683

6689

.ft C

6690

# Preferred form with Postfix >= 2.5:

6691

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

6692

# Alternative form.

6684

6693

smtp_tls_mandatory_protocols = TLSv1

6685

# Alternative form with Postfix >= 2.5:

6686

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

6687

6694

.fi

6688

6695

.ad

6689

6696

.ft R

6917

6924

protocol names, (see \\fBfBSSL_get_version\fR(3)\fR), are "SSLv2", "SSLv3"

6918

6925

and "TLSv1".

6919

6926

.PP

6927

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"

6928

and "TLSv1.2". If an older Postfix version is linked against OpenSSL

6929

1.0.1 or later, these, or any other new protocol versions, are

6930

unconditionally enabled.

6931

.PP

6920

6932

To include a protocol list its name, to exclude it, prefix the name

6921

6933

with a "!" character. To exclude SSLv2 even for opportunistic TLS set

6922

6934

"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set

6923

6935

"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to

6924

include, is supported, but not recommended. OpenSSL provides no mechanisms

6925

for excluding protocols not known at compile-time. If Postfix is linked

6926

against an OpenSSL library that supports additional protocol versions,

6927

they cannot be excluded using either syntax.

6936

include, rather than protocols to exclude, is supported, but not

6937

recommended. The exclusion form more closely matches the behaviour

6938

when the OpenSSL library is newer than Postfix.

6928

6939

.PP

6929

6940

Example:

6930

6941

.nf

9554

9565

(see there for syntax details).

9555

9566

.PP

9556

9567

This feature is available in Postfix 2.3 and later.

9557

.SH smtpd_tls_mandatory_protocols (default: SSLv3, TLSv1)

9568

.SH smtpd_tls_mandatory_protocols (default: !SSLv2)

9558

9569

The SSL/TLS protocols accepted by the Postfix SMTP server with

9559

9570

mandatory TLS encryption. If the list is empty, the server supports all

9560

9571

available SSL/TLS protocol versions. A non-empty value is a list

9562

9573

names separated by whitespace, commas or colons. The supported protocol

9563

9574

names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

9564

9575

.PP

9576

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"

9577

and "TLSv1.2". If an older Postfix version is linked against OpenSSL

9578

1.0.1 or later, these, or any other new protocol versions, are

9579

unconditionally enabled.

9580

.PP

9565

9581

With Postfix >= 2.5 the parameter syntax is expanded to support

9566

9582

protocol exclusions. One can now explicitly exclude SSLv2 by setting

9567

9583

"smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and

9568

9584

SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing

9569

the protocols to include, rather than protocols to exclude, is still

9570

supported, use the form you find more intuitive.

9585

the protocols to include, rather than protocols to exclude, is

9586

supported, but not recommended. The exclusion form more closely

9587

matches the behaviour when the OpenSSL library is newer than Postfix.

9571

9588

.PP

9572

9589

Since SSL version 2 has known protocol weaknesses and is now

9573

9590

deprecated, the default setting excludes "SSLv2". This means that

9599

9616

"TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute

9600

9617

values are separated by a colon.

9601

9618

.PP

9619

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"

9620

and "TLSv1.2". If an older Postfix version is linked against OpenSSL

9621

1.0.1 or later, these, or any other new protocol versions, are

9622

unconditionally enabled.

9623

.PP

9602

9624

To include a protocol list its name, to exclude it, prefix the name

9603

9625

with a "!" character. To exclude SSLv2 even for opportunistic TLS set

9604

9626

"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set

9605

9627

"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to

9606

include, is supported, but not recommended. OpenSSL provides no mechanisms

9607

for excluding protocols not known at compile-time. If Postfix is linked

9608

against an OpenSSL library that supports additional protocol versions,

9609

they cannot be excluded using either syntax.

9628

include, rather than protocols to exclude, is supported, but not

9629

recommended. The exclusion form more closely matches the behaviour

9630

when the OpenSSL library is newer than Postfix.

9610

9631

.PP

9611

9632

Example:

9612

9633

.nf

Older »