summaryrefslogtreecommitdiff
path: root/puppet/modules/site_postfix
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2013-10-03 13:45:57 -0400
committerMicah Anderson <micah@leap.se>2013-10-06 17:31:16 -0400
commit9acb4a7c2a36f12a5ca71e5c4c74364d344e2c5f (patch)
treef73001d79d4a44b07386928c167982b81c38b8ba /puppet/modules/site_postfix
parentf7bb77c38d31021e810b1b55097fa3329bd73ce7 (diff)
only use TLSv1 or later for smtp (Feature #4011)
Disable on the client-side with postfix (smtp) SSLv2/SSLv3 and only allow for TLSv1 or later SMTP servers almost universally support TLSv1. There are very few servers that don't (the few that are would result sending in the clear for these, but the alternative isn't much better). This is unlikely to cause any significant problems. Change-Id: I8f98ba32973537905b71f63b100f41a420b6aa3f
Diffstat (limited to 'puppet/modules/site_postfix')
-rw-r--r--puppet/modules/site_postfix/manifests/mx/tls.pp3
1 files changed, 3 insertions, 0 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
index 3bc7d85b..96cfa911 100644
--- a/puppet/modules/site_postfix/manifests/mx/tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -70,6 +70,9 @@ class site_postfix::mx::tls {
value => 'btree:${queue_directory}/smtp_cache';
'smtp_tls_security_level':
value => 'may';
+ # see issue #4011
+ 'smtp_tls_protocols':
+ value => '!SSLv2, !SSLv3';
}