From 1cde7f9b5429bc70bee06c38034b51947c5cb758 Mon Sep 17 00:00:00 2001
From: Aaron Zauner <azet@azet.org>
Date: Tue, 29 Mar 2016 16:19:34 +0200
Subject: [PATCH] added doc. on postfix version dependent features

---
 letsencrypt-postfix/PostfixConfigGenerator.py | 39 ++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py
index 162a0d832..5e219cc43 100755
--- a/letsencrypt-postfix/PostfixConfigGenerator.py
+++ b/letsencrypt-postfix/PostfixConfigGenerator.py
@@ -162,6 +162,7 @@ class PostfixConfigGenerator:
 				stdout=subprocess.PIPE) \
 				.communicate()[0].split()[2]
 	maj, min, rev = mail_version.split('.')
+	self.postfix_version = mail_version
 	
 	# Postfix has changed support for TLS features, supported protocol versions
 	# KEX methods, ciphers et cetera over the years. We sort out version dependend
@@ -169,8 +170,44 @@ class PostfixConfigGenerator:
 	# see:
 	#  http://www.postfix.org/TLS_README.html
 	#  http://www.postfix.org/FORWARD_SECRECY_README.html
-	self.postfix_version = mail_version
+
+	# Postfix == 2.2:
+	# - TLS support introduced via 3rd party patch, see:
+	#   http://www.postfix.org/TLS_LEGACY_README.html
 	
+	# Postfix => 2.2:
+	# - built-in TLS support added
+	# - Support for PFS introduced
+	# - Support for (E)DHE params >= 1024bit (need to be generated), default 1k
+
+	# Postfix => 2.5:
+	# - Syntax to specify mandatory protocol version changes:
+	#   *  < 2.5: `smtpd_tls_mandatory_protocols = TLSv1`
+	#   * => 2.5: `smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3`
+	# - Certificate fingerprint verification added
+
+	# Postfix => 2.6:
+	# - Support for ECDHE NIST P-256 curve (enable `smtpd_tls_eecdh_grade = strong`)
+	# - Support for configurable cipher-suites and protocol versions added, pre-2.6 
+	#   releases always set EXPORT, options: `smtp_tls_ciphers` and `smtp_tls_protocols`
+	# - `smtp_tls_eccert_file` and `smtp_tls_eckey_file` config. options added
+	
+	# Postfix => 2.8:
+	# - Override Client suite preference w. `tls_preempt_cipherlist = yes`
+	# - Elliptic curve crypto. support enabled by default
+	
+	# Postfix => 2.9:
+	# - Public key fingerprint support added
+	# - `permit_tls_clientcerts`, `permit_tls_all_clientcerts` and
+	#   `check_ccert_access` config. options added
+
+	# Postfix <= 2.9.5:
+	# - BUG: Public key fingerprint is computed incorrectly
+
+	# Postfix => 3.1:
+	# - Built-in support for TLS management and DANE added, see:
+	#   http://www.postfix.org/postfix-tls.1.html
+
 	return maj, min, rev
 
     def more_info(self):