Bug 1688389

Please also see http://www.postfix.org/announcements/postfix-3.3.2.html

It works with the TLSv1.3 as is, but it's missing some features like:
- option to selectively disable TLSv1.3
- TLSv1.3 specific attributes in Postfix logging and in Postfix "Received:" message headers

$ rpm -q postfix
postfix-3.3.1-8.el8.x86_64

$ openssl s_client -connect localhost:25 -starttls smtp
...
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
...

*** Bug 1746927 has been marked as a duplicate of this bug. ***

Cross-filed case 02774219 at the Red Hat customer portal, because we would not like to end up again with incomplete TLSv<latest> support in Postfix in a RHEL release, as it already happened with bug #1885530 before.

For better RHEL-8 backward compatibility, behavior of this postfix-3.5.8 update differs from the default upstream postfix-3.5.8 behavior. For the full upstream postfix-3.5.8 behavior the following commands needs to be run:

# postconf info_log_address_format=external
# postconf smtpd_discard_ehlo_keywords=
# postconf rhel_ipv6_normalize=yes

Description of the above steps:

1. Change the configuration option 'info_log_address_format' to 'external'.
In RHEL-8 it's by default set to 'internal' to mitigate [Incompat 20191109].

2. Change the configuration option 'smtpd_discard_ehlo_keywords' to ''.
In RHEL-8 it's by default set to 'chunking' to mitigate [Incompat 20180826].

3. Add RHEL-8 specific configuration option 'rhel_ipv6_normalize' and set it
to 'yes'. In RHEL-8 this option was added to mitigate [Incompat 20190427].

Also if the tlsproxy is in use please note that the tlsproxy daemon now requires a zero process limit to avoid performance loss under load. This setting is already in our example configuration master.cf file since at least RHEL-8.0. In case it was customized, change the process_limit value to 0, by e.g.:

# postconf -F tlsproxy/unix/process_limit=0
# systemctl restart postfix

This is to mitigate [Incompat 20180701].

If the incompatible functionalities are not used or RHEL-8 backward compatibility is priority, no steps are necessary.

Details from the upstream RELEASE_NOTES:

[Incompat 20191109]
Postfix daemon processes now log the from= and
to= addresses in external (quoted) form in non-debug logging (info,
warning, etc.).  This means that when an address localpart contains
spaces or other special characters, the localpart will be quoted,
for example:

    from=<"name with spaces"@example.com>

Older Postfix versions would log the internal (unquoted) form:

    from=<name with spaces>

The external and internal forms are identical for the vast majority
of email addresses that contain no spaces or other special characters
in the localpart.

Specify "info_log_address_format = internal" for backwards
compatibility.

The logging in external form is consistent with the address form
that Postfix 3.2 and later prefer for table lookups. It is therefore
the more useful form for non-debug logging.

[Incompat 20180826]
The Postfix SMTP server announces CHUNKING (BDAT
command) by default. In the unlikely case that this breaks some
important remote SMTP client, disable the feature as follows:

/etc/postfix/main.cf:
    # The logging alternative:
    smtpd_discard_ehlo_keywords = chunking
    # The non-logging alternative:
    smtpd_discard_ehlo_keywords = chunking, silent_discard

See BDAT_README for more.

[Incompat 20190427]
Postfix now normalizes IP addresses received
with XCLIENT, XFORWARD, or with the HaProxy protocol, for consistency
with direct connections to Postfix. This may change the appearance
of logging, and the way that check_client_access will match subnets
of an IPv6 address.

[Incompat 20180701]
To avoid performance loss under load, the
tlsproxy(8) daemon now requires a zero process limit in master.cf
(this setting is provided with the default master.cf file). By
default, a tlsproxy(8) process will retire after several hours.

To set the tlsproxy process limit to zero:

# postconf -F tlsproxy/unix/process_limit=0
# postfix reload

Based on tests with postfix-3.5.8-1.el8.x86_64 (as provided by GSS via case 02774219), our expectations regarding complete TLSv1.3 support are satisfied - thank you!

*** Bug 1904544 has been marked as a duplicate of this bug. ***

*** Bug 1905484 has been marked as a duplicate of this bug. ***

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (postfix bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1664