Bug#873334: marked as done (postfix: Enable all TLS protocols)

[Debian Bug Tracking System]

Your message dated Fri, 23 Feb 2018 22:50:33 +0000
with message-id <e1epmaj-00053k...@fasolo.debian.org>
and subject line Bug#873334: fixed in postfix 3.3.0-1
has caused the Debian Bug report #873334,
regarding postfix: Enable all TLS protocols
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
873334: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873334
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: postfix
Version: 3.2.2-1
Tags: patch

Hi,

I've attached a patch that overrides the default TLS 1.2 version
in OpenSSL with all the supported TLS versions. Since postfix only
uses this for opportunistic encryption, it should be fine to do
this by default for now.

I assume that at some point postfix upstream will add proper
support for the SSL_CTX_set_min_proto_version() way of setting
the minimum TLS version from the config file, I suggest you use
this patch until that time.


Kurt


--- src/tls/tls_server.c.bak	2017-08-26 18:12:06.356346925 +0200
+++ src/tls/tls_server.c	2017-08-26 18:13:51.550177486 +0200
@@ -517,6 +517,9 @@
     if (protomask != 0)
 	SSL_CTX_set_options(server_ctx, TLS_SSL_OP_PROTOMASK(protomask));
 
+    /* Enable all supported protocols */
+    SSL_CTX_set_min_proto_version(server_ctx, 0);
+
     /*
      * Some sites may want to give the client less rope. On the other hand,
      * this could trigger inter-operability issues, the client should not
--- src/tls/tls_client.c.bak	2017-08-26 18:16:27.578954578 +0200
+++ src/tls/tls_client.c	2017-08-26 18:15:04.300674851 +0200
@@ -375,6 +375,9 @@
     off |= tls_bug_bits();
     SSL_CTX_set_options(client_ctx, off);
 
+    /* Enable all supported protocols */
+    SSL_CTX_set_min_proto_version(client_ctx, 0);
+
     /*
      * Set the call-back routine for verbose logging.
      */

--- End Message ---

--- Begin Message ---

Source: postfix
Source-Version: 3.3.0-1

We believe that the bug you reported is fixed in the latest version of
postfix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <sc...@kitterman.com> (supplier of updated postfix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 23 Feb 2018 03:05:27 -0500
Source: postfix
Binary: postfix postfix-ldap postfix-lmdb postfix-cdb postfix-pcre 
postfix-mysql postfix-pgsql postfix-sqlite postfix-doc
Architecture: source amd64 all
Version: 3.3.0-1
Distribution: unstable
Urgency: medium
Maintainer: LaMont Jones <lam...@debian.org>
Changed-By: Scott Kitterman <sc...@kitterman.com>
Description:
 postfix    - High-performance mail transport agent
 postfix-cdb - CDB map support for Postfix
 postfix-doc - Documentation for Postfix
 postfix-ldap - LDAP map support for Postfix
 postfix-lmdb - LMDB map support for Postfix
 postfix-mysql - MySQL map support for Postfix
 postfix-pcre - PCRE map support for Postfix
 postfix-pgsql - PostgreSQL map support for Postfix
 postfix-sqlite - SQLite map support for Postfix
Closes: 873334
Changes:
 postfix (3.3.0-1) unstable; urgency=medium
 .
   [Wietse Venema]
 .
   * 3.3.0
 .
   [Scott Kitterman]
 .
   * Remove debian/patches/02_kfreebsd_support.diff - Obsolete
   * Refresh patches
   * Add debian/patches/tls_version.diff to enable all supported TLS versions.
     Closes: #873334
   * Install examples alongside the other documentation in /usr/share/doc/
     postfix/ vice /usr/share/doc/postfix-doc/
Checksums-Sha1:
 b0e81cd8234e7e7a6d46733898afbceb2cc8b3ff 2674 postfix_3.3.0-1.dsc
 424dfdf567998291ad2f2c81466a4dd5834ebee2 4419450 postfix_3.3.0.orig.tar.gz
 5fc4f68fa9e115afb78f110a1693b72d1ea34ad1 193628 postfix_3.3.0-1.debian.tar.xz
 15cf7d308d3489b42c76f616a4fd84a1237806cb 2428 
postfix-cdb-dbgsym_3.3.0-1_amd64.deb
 02f3e1b5020cd278cf0dffd21558f47df76dc8e1 325740 postfix-cdb_3.3.0-1_amd64.deb
 db9171d57ee9d76ba9af8a47baa8f5eb75067863 97400 postfix-dbgsym_3.3.0-1_amd64.deb
 10f0df86d8c09a4d2bc684f1c057d00bb81abcb8 1190740 postfix-doc_3.3.0-1_all.deb
 44a3fa942ef25259a05f615eaaf77d575f8c4379 3116 
postfix-ldap-dbgsym_3.3.0-1_amd64.deb
 21b70238bcdd4c68299553265667c9828f91a6f7 343240 postfix-ldap_3.3.0-1_amd64.deb
 718c6163db1d25fad1c5986a04d7978d7a31c49d 2784 
postfix-lmdb-dbgsym_3.3.0-1_amd64.deb
 9627b457fa9c7cc7242d162b4e9fb4acf824669f 330944 postfix-lmdb_3.3.0-1_amd64.deb
 d541cbf95f5f646b8843bfad5f3c71de6778d02d 2728 
postfix-mysql-dbgsym_3.3.0-1_amd64.deb
 2ed253fe34068178e43ed1cbbf9b2939ed1d8b36 333596 postfix-mysql_3.3.0-1_amd64.deb
 9e8521d2f96549763e2f7a24f6807d22c01b3a25 2528 
postfix-pcre-dbgsym_3.3.0-1_amd64.deb
 13b51df75b30ce5e650e6cbb25a87ff3438e66b3 331432 postfix-pcre_3.3.0-1_amd64.deb
 36e58212201d54a37168db67e6ced5f41d7a20ea 2664 
postfix-pgsql-dbgsym_3.3.0-1_amd64.deb
 3156ef3e893aa0f237cf52610fce45efe1676cfe 332132 postfix-pgsql_3.3.0-1_amd64.deb
 f5cc3a95828c45d4e67da3a3ff98998e138fd498 2488 
postfix-sqlite-dbgsym_3.3.0-1_amd64.deb
 8e7485fbfc8fe29ac8f131d201d1b802b2b26ca9 329188 
postfix-sqlite_3.3.0-1_amd64.deb
 ce3a22a47fe296bbf81d24a6fb9464286e25611f 10918 postfix_3.3.0-1_amd64.buildinfo
 2aa3478807503f20a5d1dde3f56ed64d03f2882b 1450420 postfix_3.3.0-1_amd64.deb
Checksums-Sha256:
 d2ffc084706c9231906c5e37e7e0098c17755dcb970c07e6731d0cf5a84f21f5 2674 
postfix_3.3.0-1.dsc
 7942e89721e30118d7050675b0d976955e3160e21f7898b85a79cac4f4baef39 4419450 
postfix_3.3.0.orig.tar.gz
 0c85625492a646dc574801bfbf17b80fef7219f57a94c2eb85e8afa7ccec6a8f 193628 
postfix_3.3.0-1.debian.tar.xz
 aaa1abb62f63aff59efe0b6c375b544b893ba09721ee52af88b0ce016d63b3f7 2428 
postfix-cdb-dbgsym_3.3.0-1_amd64.deb
 a019a101233fc7cfe88ea1ea7b14ac0359da473fafff54213f77c8bb0c7c6d0d 325740 
postfix-cdb_3.3.0-1_amd64.deb
 64a85a4910689613ac2adff41884f46168766750ba96622fc270b76bfb7afe79 97400 
postfix-dbgsym_3.3.0-1_amd64.deb
 6c60994c83995e227cb00207e9a1f9899ccd39bbb2b8135447d27a6847799061 1190740 
postfix-doc_3.3.0-1_all.deb
 ab2fc61e76668f851f9fbb3f142ad2238c675de92402f48949aadd0130f1efba 3116 
postfix-ldap-dbgsym_3.3.0-1_amd64.deb
 68721f89f125eec88a817ead1d74c76366042479d169538759141796d3351967 343240 
postfix-ldap_3.3.0-1_amd64.deb
 31881d9a4a518f48696404928404955c39ab18424bdd369456c5fe443d0a06c7 2784 
postfix-lmdb-dbgsym_3.3.0-1_amd64.deb
 bba954f0d172a8db4379b4691d2ca7fe67b0480480dd9c3ccf0a31674149e39f 330944 
postfix-lmdb_3.3.0-1_amd64.deb
 c811b5bb967bbedc7c0bc0bffcebccf4ccebddefb8e7ab3a9f84b4f85155ba10 2728 
postfix-mysql-dbgsym_3.3.0-1_amd64.deb
 8cdbdcd0298bf1020e6b2eb424d8480bf3181fc936b310f41bf75e78b1049f1a 333596 
postfix-mysql_3.3.0-1_amd64.deb
 07b8a6d0e3d709fc5faf7d598836e40443be94019737630c18605a6faf3e417f 2528 
postfix-pcre-dbgsym_3.3.0-1_amd64.deb
 ead6e2f53e3af2893a744a3235d301d8e2e598e6253a3259e82185d9caf8dcb4 331432 
postfix-pcre_3.3.0-1_amd64.deb
 f4cf6c4615fb43f25c249397b0c4e3d11d09cfb266854f260cfc4ae75b0fbe70 2664 
postfix-pgsql-dbgsym_3.3.0-1_amd64.deb
 941f4029b3457e90db94fa080789cd1a3435bc534046a7b74d2e6aa67d7fd710 332132 
postfix-pgsql_3.3.0-1_amd64.deb
 1a03ec3cdcbef64369b75e848823db955decf271b684d0d980125f04c26cb09d 2488 
postfix-sqlite-dbgsym_3.3.0-1_amd64.deb
 d19c32fc33027b954b61bb434688d20d936dac3c3a56f65015bb616d3f484109 329188 
postfix-sqlite_3.3.0-1_amd64.deb
 dece80eb05fd122763479e06476a9ce39dae09a302f7c651d1b727ea03368dde 10918 
postfix_3.3.0-1_amd64.buildinfo
 dccab9f57fbc3e64d2f08154058a35e8665d3fd0011372aefd9ab5fee93acc45 1450420 
postfix_3.3.0-1_amd64.deb
Files:
 72406db5ca1c0606321779a6ddcc7dab 2674 mail optional postfix_3.3.0-1.dsc
 26529f3fdb668482176355e90a546a11 4419450 mail optional 
postfix_3.3.0.orig.tar.gz
 ee60aad8b89f755d58f4d285844adddb 193628 mail optional 
postfix_3.3.0-1.debian.tar.xz
 ad244ab9e26e0cca4e2baa981d04e6d8 2428 debug optional 
postfix-cdb-dbgsym_3.3.0-1_amd64.deb
 c04fca78a11a230036882a074fb0a48e 325740 mail optional 
postfix-cdb_3.3.0-1_amd64.deb
 81be90fe03b34b44a8941a4eb0b686b9 97400 debug optional 
postfix-dbgsym_3.3.0-1_amd64.deb
 105fc193e07b25a2c98f3416365990b4 1190740 doc optional 
postfix-doc_3.3.0-1_all.deb
 046a35e37178cfca13ee5e8cfaf75026 3116 debug optional 
postfix-ldap-dbgsym_3.3.0-1_amd64.deb
 af3499b90ce9f85ac9570d3abcc357d7 343240 mail optional 
postfix-ldap_3.3.0-1_amd64.deb
 f2b98e3217032fe0226a76f2bae2673e 2784 debug optional 
postfix-lmdb-dbgsym_3.3.0-1_amd64.deb
 a22ae6946d0aebf378afb671a9f8f088 330944 mail optional 
postfix-lmdb_3.3.0-1_amd64.deb
 c1ffc0ce0699726eaad67cb5e339cd70 2728 debug optional 
postfix-mysql-dbgsym_3.3.0-1_amd64.deb
 a1ce26819245022bc5c85347cebab92a 333596 mail optional 
postfix-mysql_3.3.0-1_amd64.deb
 bba745fa2edef6064671e1d30102be67 2528 debug optional 
postfix-pcre-dbgsym_3.3.0-1_amd64.deb
 a27b3c4c93e28b7426ddda391d6802b7 331432 mail optional 
postfix-pcre_3.3.0-1_amd64.deb
 b0b02e92f2e9d4216e62b5cd216e5537 2664 debug optional 
postfix-pgsql-dbgsym_3.3.0-1_amd64.deb
 83d299844f195f3d278e424ae2062078 332132 mail optional 
postfix-pgsql_3.3.0-1_amd64.deb
 ca09a1ae719d2f6b285f1dad13f1f9b4 2488 debug optional 
postfix-sqlite-dbgsym_3.3.0-1_amd64.deb
 b4c07fbab6c6331f68e0dda1fc8063ac 329188 mail optional 
postfix-sqlite_3.3.0-1_amd64.deb
 fb685d8b2d55ee1808cc61cf84d8ab19 10918 mail optional 
postfix_3.3.0-1_amd64.buildinfo
 d2ec4349e6249f4b0ba8d3e66419768e 1450420 mail optional 
postfix_3.3.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJakJUoAAoJEHjX3vua1ZrxUmUP+QF4KBP2xp4cQ3HWMf2WcU/h
SRgJ6KATApxCInnx8LZ5rYBy3f+0a8TDsjeLUnglCNEUsex9ZXTqoNc+t2bikReH
S45icF5N6vJgi8C2W3EzV4Ryh5AaxqMh4IYsvx4AhfbMBOQ1ywUZ+p8jtCQXRSNn
plOQxM/rrQmNeNG9q/g7eB+o/QiEBu+i5CgqgOF8uJSJLVfDZDwC1vO8h3gnJAXb
A4XHryVweiysOMoesAqWxXI41Z9Ds/A4qiDYoZTYPi37YG6NXKATgTKHmGjxCOVe
9HEduIzFjveXNul8jxm3xItUAgj2sterwRtmSML7vgIZji+pk9WnIo3IQ0iMLdgf
nfsksK0n76D7McFltUcNymh87P3NdmlHhOOkppfmXGFXYnc/kZtY2/IZ8D3dszUB
67H1mh2zIyDCh/EC+h5t3E90oYgRswLr4oI6WanUyDfTqo6RfSx44/0XXiWIuevy
AATgGupKiBbIsUFdn3/VCClZtIomDVoB4Li4FFIa1b7LaNg2uLiaC6v5XAD7rQQI
PZ7cj5yZoCssdFR9bPgcaotyRAgGr+3Tf+LDGhfdp7MtUjADmbXZpdHyp4cw+p5i
6k2OmSMxfEBbDNrJS62foBk/9uKPRnX4BPXZhLBUKmMxAB/9dRARSnlCSC5Ln5x5
2MSXrAi65NPSAHwmkJXX
=tqZN
-----END PGP SIGNATURE-----

--- End Message ---