Postfix stable release 3.0.2 and legacy releases 2.11.6, 2.10.8, and 2.9.14

[An on-line version of this announcement will be available at]

Postfix stable release 3.0.2 is available, as well as legacy releases 2.11.6, 2.10.8, and 2.9.14.

With all supported Postfix releases, the default TLS settings no longer enable export-grade ciphers, and no longer enable the SSLv2 and SSLv3 protocols. These ciphers and protocols have little if any legitimate use today, and have instead become a vehicle for downgrade attacks. There are no other code changes.

Postfix documentation has been updated to reflect the new default settings and their rationale; the RELEASE_NOTES give suggestions for how to enable the old ciphers and protocols if your infrastructure requires them.

Finally, abandoning deprecated ciphers and protocols does not really improve TLS security without measures to better authenticate remote servers. Secure DNS and TLSA are steps in that direction.

You can find the updated Postfix source code at the mirrors listed at