Bug 1904544

Summary: [RFE] Ability to disable TLSv1.3 in postfix
Product: Red Hat Enterprise Linux 8 Reporter: Husam Ahmed Chaudhary <huchaudh>
Component: postfixAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.2   
Target Milestone: rc   
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-07 09:38:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Husam Ahmed Chaudhary 2020-12-04 17:52:28 UTC 
Description of problem:

Current version of postfix (3.3.1-12) shipped with RHEL 8 doesn't has the option to disable TLSv1.3 from the configuration.

Upstream postfix doc states that, disabling of TLSv1.3 is supported since postfix 3.4. (http://www.postfix.org/postconf.5.html#smtpd_tls_protocols)

~~~~
Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
~~~~~

One of our customer will like to have this feature in the current version of postfix shipped with RHEL 8.

Version-Release number of selected component (if applicable):
postfix-3.3.1-12

Steps to Reproduce:

1. Configure postfix with TLSv1.3 disabled.

# cat /etc/postfix/main.cf | grep TLSv1.3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.3
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.3
 
2. Testing (connect to postfix with TLSv1.3)

# openssl s_client -starttls smtp  -connect localhost:25 -tls1_3 -brief
Can't use SSL_get_servername
depth=0 C = IN, ST = Maharashtra, L = Mumbai, O = Red Hat, OU = IT, CN = husam.com
verify error:num=18:self signed certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: C = IN, ST = Maharashtra, L = Mumbai, O = Red Hat, OU = IT, CN = husam.com
Hash used: SHA256
Signature type: RSA-PSS
Verification error: self signed certificate
Server Temp Key: X25519, 253 bits
250 SMTPUTF8

Actual results:

Even when TLSv1.3 is disabled in the main.cf file (!TLSv1.3) ,still we are able to connect using this protocol

Expected results:

We should not be able to connect to postfix using TLSv1.3.


Additional info:

I have tested the same in Fedora 33 which has postfix-3.5.8-1 and it has the option to disable TLSv1.3

---------xxxxxx----------

# cat /etc/redhat-release 
Fedora release 33 (Thirty Three)

# rpm -qa | grep post
postfix-3.5.8-1.fc33.x86_64

# cat /etc/postfix/main.cf | grep TLSv1.3

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.3
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.3

# openssl s_client -starttls smtp  -connect localhost:25 -tls1_3 -brief
139999645411136:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70

---------xxxxxx----------
Comment 1 Jaroslav Škarvada 2020-12-07 09:38:27 UTC 

*** This bug has been marked as a duplicate of bug 1688389 ***