From 9acb4a7c2a36f12a5ca71e5c4c74364d344e2c5f Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Thu, 3 Oct 2013 13:45:57 -0400
Subject: only use TLSv1 or later for smtp (Feature #4011)

Disable on the client-side with postfix (smtp) SSLv2/SSLv3 and only allow for TLSv1 or later

SMTP servers almost universally support TLSv1. There are very few servers that don't (the few that are would result sending in the clear for these, but the alternative isn't much better). This is unlikely to cause any significant problems.

Change-Id: I8f98ba32973537905b71f63b100f41a420b6aa3f
---
 puppet/modules/site_postfix/manifests/mx/tls.pp | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'puppet/modules')

diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
index 3bc7d85b..96cfa911 100644
--- a/puppet/modules/site_postfix/manifests/mx/tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -70,6 +70,9 @@ class site_postfix::mx::tls {
       value => 'btree:${queue_directory}/smtp_cache';
     'smtp_tls_security_level':
       value  => 'may';
+    # see issue #4011
+    'smtp_tls_protocols':
+      value => '!SSLv2, !SSLv3';
   }
 
 
-- 
cgit v1.2.3