Bug 1885530

Summary: postfix: Usage of smtp_tls_policy_maps decreases TLS encryption from TLSv1.2 to TLSv1.0 (and weakens cipher drastically)
Product: [Other] Security Response Reporter: Robert Scheck <redhat-bugzilla>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: jskarvad, robert.scheck, tcullum
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 05:09:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2020-10-06 09:59:37 UTC 
Description of problem:
Due to an incomplete Red Hat backport of TLSv1.2 support (via bug #1287192) into Postfix as shipped with RHEL 6, the usage of Postfix smtp_tls_policy_maps decreases TLS encryption from TLSv1.2 to TLSv1.0 (and weakens the cipher drastically).

From my point of view, this is a security issue (that might even be CVE-worthy). As e-mail servers/services tempt to disable TLSv1.0 and TLSv1.1 (especially for submission) nowadys more and more, this is an issue, especially for customers targetting RHEL 6 ELS.

Version-Release number of selected component (if applicable):
postfix-2.6.6-8.el6.x86_64

How reproducible:
Always, see below.

Steps to Reproduce:
1. RHEL 6 including all updates
2. yum install postfix -y
3. echo "smtp_tls_CApath = /etc/pki/tls/certs" >> /etc/postfix/main.cf
4. echo "smtp_tls_security_level = may" >> /etc/postfix/main.cf
5. echo "smtp_tls_loglevel = 1" >> /etc/postfix/main.cf
6. /etc/init.d/postfix restart
7. echo Test | mail -s Test <somebody>@fedoraproject.org
8. sleep 5 && grep cipher /var/log/maillog | tail -n 1
   -> Oct  6 09:45:29 tux postfix/smtp[21119]: Trusted TLS connection established to mx1.redhat.com[209.132.183.28]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
9. postsuper -d ALL  # Clear mail queue in case we're having non-conform FcrDNS etc. and can't deliver the mail
10. echo "smtp_tls_policy_maps = hash:/etc/postfix/tls_policy" >> /etc/postfix/main.cf
11. echo "fedoraproject.org encrypt" >> /etc/postfix/tls_policy
12. postmap /etc/postfix/tls_policy
13. /etc/init.d/postfix restart
14. echo Test | mail -s Test <somebody>@fedoraproject.org
15. sleep 5 && grep cipher /var/log/maillog | tail -n 1
    -> Oct  6 09:45:42 tux postfix/smtp[21576]: Trusted TLS connection established to mx1.redhat.com[209.132.183.28]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
16. postsuper -d ALL  # Clear mail queue in case we're having non-conform FcrDNS etc. and can't deliver the mail

Actual results:
Usage of Postfix smtp_tls_policy_maps decreases TLS encryption from TLSv1.2 to TLSv1.0 (and weakens cipher drastically).

A common cipher (as per https://ssl-config.mozilla.org/) is e.g. "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256" (cipher order has been optimized to fit NCSC-NL requirements, the "Dutch NIST", but it's even the same issue with the original Mozilla "intermediate cipher" recommendation) which is satisfied by ECDHE-RSA-AES256-GCM-SHA384 (without smtp_tls_policy_maps), but NOT by ECDHE-RSA-AES256-SHA (with smtp_tls_policy_maps).

Expected results:
TLSv1.2 and strong cipher even with usage of Postfix smtp_tls_policy_maps.
Comment 1 Robert Scheck 2020-10-06 10:06:09 UTC 
Cross-filed case 02770036 at the Red Hat customer portal.
Comment 2 Jaroslav Škarvada 2020-10-08 19:32:21 UTC 
It's not related to the smtp_tls_policy_maps, but to the defaults for the mandatory "TLS security level", i.e. if the smtp_tls_security_level is set to the "encrypt", the result will be the same even without the smtp_tls_policy_maps.

The defaults can be overridden in the /etc/postfix/main.cf configuration file, e.g.:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

It's because DEF_SMTP_TLS_PROTO and DEF_SMTP_TLS_MAND_PROTO differs in the sources, I think it shouldn't differ. The following is in the vanilla sources:
#define DEF_SMTP_TLS_PROTO "!SSLv2"
#define DEF_SMTP_TLS_MAND_PROTO "SSLv3, TLSv1"

Both defaults aren't good according to today's standards, but I think we shouldn't change the defaults for the product near the end of the Maintenance Support 2. Just documenting it should be enough.
Comment 5 Robert Scheck 2020-10-16 16:56:37 UTC 
The workaround is unfortunately not suitable for the (common) situation to allow opportunistic TLS >= v1.0 for general outbound e-mail while using additionally mandatory TLS via smtp_tls_policy_maps for specific targets where the target requests at least TLSv1.2.
Comment 6 Jaroslav Škarvada 2020-10-20 10:00:25 UTC 
(In reply to Robert Scheck from comment #5)
> The workaround is unfortunately not suitable for the (common) situation to
> allow opportunistic TLS >= v1.0 for general outbound e-mail while using
> additionally mandatory TLS via smtp_tls_policy_maps for specific targets
> where the target requests at least TLSv1.2.

Could you please elaborate? AFAIK there is 'smtp_tls_protocols' configuration option for the opportunistic TLS and 'smtp_tls_mandatory_protocols' for the mandatory TLS, i.e. both defaults should be overridable.
Comment 7 Robert Scheck 2020-10-23 13:34:15 UTC 
Unfortunately, real-world scenarios are more complex as the tiny specific reproducer above.

The 'smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1' only works, if all mandatory TLS destinations (there are multiple) provide TLSv1.2 support. If this issue really gets a documentation-only thing, then the preferred solution should be to document to set 'smtp_tls_mandatory_protocols = !SSLv2' in order to match a) the defaults of RHEL 7 and because b) it's a less invasive configuration change that still leads to the same result.

My personal preference is however 's/#define DEF_SMTP_TLS_MAND_PROTO "SSLv3, TLSv1"/#define DEF_SMTP_TLS_MAND_PROTO "!SSLv2"/' in the source code to do the right thing with a Postfix RPM package update by default.