DescriptionJohannes Scheiber
2020-12-08 13:17:00 UTC
1. Proposed title of this feature request
- TLS 1.3 support on postfix 3.3.1
2. What is the nature and description of the request?
- Customers relying on the latest certified RHEL version for SAP HANA cannot use TLSv1.3 to be compliant to high security standards and needs.
3. Why does the customer need this? (List the business requirements here)
- RHEL 8.1 currently is the latest RHEL version officially certified for SAP HANA
- RHEL 8.2 will be the upcoming version certified by SAP <- this will still lag behind
- RHEL 8.0 through 8.3 have postfix 3.3.1
- Postfix 3.3.1 does not feature full TLSv1.3 integration as provided in postfix 3.3.2
- TLSv1.3 is a security feature required by customers to be compliant
4. How would the customer like to achieve this? (List the functional requirements here)
4.1 assumebly have this bugzilla backported to 3.3.1
https://bugzilla.redhat.com/show_bug.cgi?id=1688389
4.2 backport a postfix >= 3.3.2 to RHEl 8.1 and 8.2 to EUS/E4S
5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
The issue is that the remote endpoint which is the SES FIPS server, it has an issue whereby a connection with TLSv1.3 will get dropped with an invalid MAC.
The problem is that Postfix 3.3.1 which is included with RHEL 8.1 does not support the `!TLSv1.3` setting, this was added in Postfix 3.3.2: See http://www.postfix.org/postconf.5.html#smtp_tls_mandatory_protocols
At which point the following configuration will work:
```
smtp_tls_security_level = encrypt
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
smtp_tls_note_starttls_offer = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
relayhost = [fips-smtp.example.com]:587
smtp_sasl_auth_enable = yes
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 !TLSv1.3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 !TLSv1.3
smtp_use_tls = yes
```
This issue is visible with this command:
$ openssl s_client -connect fips-smtp.example.com:587 -starttls smtp -cipher 'AES256-SHA256' -no_ssl3 -no_tls1 -no_tls1_1
Result: It immediately hangs up the connection.
TLSv1.3 is disabled:
$ openssl s_client -connect fips-smtp.example.com:587 -starttls smtp -cipher 'AES256-SHA256' -no_ssl3 -no_tls1 -no_tls1_1 -no_tls1_3
Result: the issue goes away
The Postfix configuration for 3.3.1 does not currently expose a way to do this, so the patch that fixes this which is available in Postfix 3.3.2 would need to get back ported to RHEL 8.2 Postfix 3.3.1 or Postfix needs to be upgraded to Postfix 3.3.2
6. Is there already an existing RFE upstream or in Red Hat Bugzilla?
RFE for RHEL 8.2 https://bugzilla.redhat.com/show_bug.cgi?id=1688389
7. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
RHEL 8.1 for SAP solutions
RHEL 8.2 for SAP solutions
8. Is the sales team involved in this request and do they have any additional input?
no
9. List any affected packages or components.
- postfix 3.3.1
10. Would the customer be able to assist in testing this functionality if implemented?
yes
Comment 2Jaroslav Škarvada
2020-12-08 15:40:21 UTC
Hi Johannes, it is already covered by approved and already finished (but not yet released) rebase to postfix-3.5.8-1.el8. See bug 1688389 for details. I will close this request as a dupe of bug 1688389.
Comment 4Jaroslav Škarvada
2020-12-08 15:45:31 UTC
*** This bug has been marked as a duplicate of bug 1688389 ***
Comment 11Jaroslav Škarvada
2021-01-14 00:14:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (postfix bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:1664
1. Proposed title of this feature request - TLS 1.3 support on postfix 3.3.1 2. What is the nature and description of the request? - Customers relying on the latest certified RHEL version for SAP HANA cannot use TLSv1.3 to be compliant to high security standards and needs. 3. Why does the customer need this? (List the business requirements here) - RHEL 8.1 currently is the latest RHEL version officially certified for SAP HANA - RHEL 8.2 will be the upcoming version certified by SAP <- this will still lag behind - RHEL 8.0 through 8.3 have postfix 3.3.1 - Postfix 3.3.1 does not feature full TLSv1.3 integration as provided in postfix 3.3.2 - TLSv1.3 is a security feature required by customers to be compliant 4. How would the customer like to achieve this? (List the functional requirements here) 4.1 assumebly have this bugzilla backported to 3.3.1 https://bugzilla.redhat.com/show_bug.cgi?id=1688389 4.2 backport a postfix >= 3.3.2 to RHEl 8.1 and 8.2 to EUS/E4S 5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. The issue is that the remote endpoint which is the SES FIPS server, it has an issue whereby a connection with TLSv1.3 will get dropped with an invalid MAC. The problem is that Postfix 3.3.1 which is included with RHEL 8.1 does not support the `!TLSv1.3` setting, this was added in Postfix 3.3.2: See http://www.postfix.org/postconf.5.html#smtp_tls_mandatory_protocols At which point the following configuration will work: ``` smtp_tls_security_level = encrypt meta_directory = /etc/postfix shlib_directory = /usr/lib64/postfix smtp_tls_note_starttls_offer = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous relayhost = [fips-smtp.example.com]:587 smtp_sasl_auth_enable = yes smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 !TLSv1.3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 !TLSv1.3 smtp_use_tls = yes ``` This issue is visible with this command: $ openssl s_client -connect fips-smtp.example.com:587 -starttls smtp -cipher 'AES256-SHA256' -no_ssl3 -no_tls1 -no_tls1_1 Result: It immediately hangs up the connection. TLSv1.3 is disabled: $ openssl s_client -connect fips-smtp.example.com:587 -starttls smtp -cipher 'AES256-SHA256' -no_ssl3 -no_tls1 -no_tls1_1 -no_tls1_3 Result: the issue goes away The Postfix configuration for 3.3.1 does not currently expose a way to do this, so the patch that fixes this which is available in Postfix 3.3.2 would need to get back ported to RHEL 8.2 Postfix 3.3.1 or Postfix needs to be upgraded to Postfix 3.3.2 6. Is there already an existing RFE upstream or in Red Hat Bugzilla? RFE for RHEL 8.2 https://bugzilla.redhat.com/show_bug.cgi?id=1688389 7. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)? RHEL 8.1 for SAP solutions RHEL 8.2 for SAP solutions 8. Is the sales team involved in this request and do they have any additional input? no 9. List any affected packages or components. - postfix 3.3.1 10. Would the customer be able to assist in testing this functionality if implemented? yes