Bug 1475372

Summary: postfix should default to using starttls when sending if capability is offered
Product: Red Hat Enterprise Linux 7 Reporter: Martin Poole <mpoole>
Component: postfixAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: jeharris, thozza
Target Milestone: rcKeywords: FastFix, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-09 07:51:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Poole 2017-07-26 14:02:44 UTC 
Description of problem:

postfix should default to using starttls when sending if capability is offered

Current default configuration does even attempt starttls even if the server offers it.

Version-Release number of selected component (if applicable):

postfix-2.10.1-6.el7.x86_64


Additional info:

Would propose we adopt the recommended client setting portion of 

    Securing postfix on RHEL7 
    https://access.redhat.com/articles/1468593


First cut for client-side appears to be

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtp_tls_ciphers = high

tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
Comment 2 Jaroslav Škarvada 2018-10-26 21:20:37 UTC 

*** This bug has been marked as a duplicate of bug 1282350 ***
Comment 3 Jaroslav Škarvada 2018-10-26 21:23:47 UTC 
(In reply to Jaroslav Škarvada from comment #2)
> 
> *** This bug has been marked as a duplicate of bug 1282350 ***

Although it could be tracked in one bug, I am going to track it independently for client/server.
Comment 4 Jaroslav Škarvada 2019-06-05 09:45:12 UTC 
FYI it has been addressed in RHEL-8.
Comment 5 Tomáš Hozza 2019-12-06 16:09:18 UTC 
Red Hat Enterprise Linux version 7 entered the Maintenance Support 1 Phase in August 2019. In this phase only qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate.

This bug has been reviewed by Support and Engineering representative and does not meet the inclusion criteria for Maintenance Support 1 Phase. If this issue still exists in newer major version of Red Hat Enterprise Linux, it has been cloned there and work will continue in the cloned bug.

For more information about Red Hat Enterprise Linux Lifecycle, please see https://access.redhat.com/support/policy/updates/errata/