Bug 1287192

Summary: postfix is limited to using security protocols from last century
Product: Red Hat Enterprise Linux 6 Reporter: Martin Poole <mpoole>
Component: postfixAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED ERRATA QA Contact: Andrej Dzilský <adzilsky>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 6.7CC: adzilsky, hkario, jskarvad, psklenar, santony, thozza
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: postfix-2.6.6-8.el6 Doc Type: Enhancement
Doc Text:
_postfix_ now supports user-controlled configuration of *TLS* With this update, _postfix_ offers configuration options for more precise control of the Transport Layer Security (TLS) protocol version. For example, you can now disable *TLS* v1.1 while having *TLS* v1.2 enabled. To do this, add the following line to the `main.cf` file: smtpd_tls_mandatory_protocols = !TLSv1.1
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-21 11:29:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1253743, 1269194, 1310222, 1355829, 1356054, 1359261    
Attachments:
Description Flags
Backported fix none

Description Martin Poole 2015-12-01 17:46:23 UTC 
Description of problem:

postfix in RHEL6 supports TLSv1.1 & TLSv1.2 when using the more recent openssl library. Unfortunately there is no mechanism to control either of these, either as explicit or as exclusions

Version-Release number of selected component (if applicable):

postfix-2.6.6-6.el6_5.x86_64
Comment 2 Jaroslav Škarvada 2016-06-02 14:18:07 UTC 
Created attachment 1164096 [details]
Backported fix

The fix is easy and should be harmless.
Comment 4 Jaroslav Škarvada 2016-06-02 14:19:45 UTC 
Scratch build for testing:
http://people.redhat.com/jskarvad/rhbz1287192/
Comment 5 Jaroslav Škarvada 2016-06-02 14:22:51 UTC 
main.cf:
smtpd_tls_mandatory_protocols = TLSv1.2, !TLSv1, !TLSv1.1, !SSLv2, !SSLv3

And TLSv1.2 is only used if STARTTLS is initiated.
Comment 15 Andrej Dzilský 2016-12-08 16:47:56 UTC 
Works :) , well done.
Comment 18 errata-xmlrpc 2017-03-21 11:29:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0752.html