only use TLSv1 or later for smtp (Feature #4011)

Disable on the client-side with postfix (smtp) SSLv2/SSLv3 and only allow for TLSv1 or later SMTP servers almost universally support TLSv1. There are very few servers that don't (the few that are would result sending in the clear for these, but the alternative isn't much better). This is unlikely to cause any significant problems. Change-Id: I8f98ba32973537905b71f63b100f41a420b6aa3f
author: Micah Anderson <micah@leap.se> 2013-10-03 13:45:57 -0400
committer: Micah Anderson <micah@leap.se> 2013-10-06 17:31:16 -0400
commit: 9acb4a7c2a36f12a5ca71e5c4c74364d344e2c5f (patch)
tree: f73001d79d4a44b07386928c167982b81c38b8ba
parent: f7bb77c38d31021e810b1b55097fa3329bd73ce7 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
index 3bc7d85b..96cfa911 100644
--- a/puppet/modules/site_postfix/manifests/mx/tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -70,6 +70,9 @@ class site_postfix::mx::tls {
       value => 'btree:${queue_directory}/smtp_cache';
     'smtp_tls_security_level':
       value  => 'may';
+    # see issue #4011
+    'smtp_tls_protocols':
+      value => '!SSLv2, !SSLv3';
   }
author	Micah Anderson <micah@leap.se>	2013-10-03 13:45:57 -0400
committer	Micah Anderson <micah@leap.se>	2013-10-06 17:31:16 -0400
commit	9acb4a7c2a36f12a5ca71e5c4c74364d344e2c5f (patch)
tree	f73001d79d4a44b07386928c167982b81c38b8ba
parent	f7bb77c38d31021e810b1b55097fa3329bd73ce7 (diff)