--- postfix-2.3.3/src/tls/tls.h.orig	2006-07-19 17:33:01.000000000 +0200
+++ postfix-2.3.3/src/tls/tls.h	2014-10-23 23:33:10.000000000 +0200
@@ -101,7 +101,7 @@
 #define TLS_PROTOCOL_SSLv3	(1<<1)	/* SSLv3 */
 #define TLS_PROTOCOL_TLSv1	(1<<2)	/* TLSv1 */
 #define TLS_ALL_PROTOCOLS	\
-	( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 )
+	( TLS_PROTOCOL_TLSv1 )
 
  /*
   * tls_misc.c
--- postfix-2.3.3/src/tls/tls_server.c.orig	2006-07-19 03:11:49.000000000 +0200
+++ postfix-2.3.3/src/tls/tls_server.c	2014-10-23 23:41:37.000000000 +0200
@@ -316,8 +316,8 @@
 	if (props->protocols & TLS_PROTOCOL_SSLv2)
 	    disable &= ~SSL_OP_NO_SSLv2;
 
-	SSL_CTX_set_options(server_ctx, disable);
     }
+    SSL_CTX_set_options(server_ctx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3));
 
     /*
      * Set the call-back routine for verbose logging.
--- postfix-2.3.3/src/tls/tls_client.c.orig	2006-07-05 20:34:38.000000000 +0200
+++ postfix-2.3.3/src/tls/tls_client.c	2014-10-23 23:43:33.000000000 +0200
@@ -706,8 +706,8 @@
 	if (props->protocols & TLS_PROTOCOL_SSLv2)
 	    disable &= ~SSL_OP_NO_SSLv2;
 
-	SSL_set_options(TLScontext->con, disable);
     }
+    SSL_set_options(TLScontext->con, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3));
 
     /*
      * Per session cipher selection for sessions with mandatory encryption