Bug 1287192 - postfix is limited to using security protocols from last century
postfix is limited to using security protocols from last century
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: postfix (Show other bugs)
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: Jaroslav Škarvada
Andrej Dzilský
Mirek Jahoda
: Patch
Depends On:
Blocks: 1253743 1269194 1355829 1310222 1356054 1359261
  Show dependency treegraph
Reported: 2015-12-01 12:46 EST by Martin Poole
Modified: 2017-03-21 07:29 EDT (History)
6 users (show)

See Also:
Fixed In Version: postfix-2.6.6-8.el6
Doc Type: Enhancement
Doc Text:
_postfix_ now supports user-controlled configuration of *TLS* With this update, _postfix_ offers configuration options for more precise control of the Transport Layer Security (TLS) protocol version. For example, you can now disable *TLS* v1.1 while having *TLS* v1.2 enabled. To do this, add the following line to the `main.cf` file: smtpd_tls_mandatory_protocols = !TLSv1.1
Story Points: ---
Clone Of:
Last Closed: 2017-03-21 07:29:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Backported fix (2.69 KB, patch)
2016-06-02 10:18 EDT, Jaroslav Škarvada
no flags Details | Diff

  None (edit)
Description Martin Poole 2015-12-01 12:46:23 EST
Description of problem:

postfix in RHEL6 supports TLSv1.1 & TLSv1.2 when using the more recent openssl library. Unfortunately there is no mechanism to control either of these, either as explicit or as exclusions

Version-Release number of selected component (if applicable):

Comment 2 Jaroslav Škarvada 2016-06-02 10:18 EDT
Created attachment 1164096 [details]
Backported fix

The fix is easy and should be harmless.
Comment 4 Jaroslav Škarvada 2016-06-02 10:19:45 EDT
Scratch build for testing:
Comment 5 Jaroslav Škarvada 2016-06-02 10:22:51 EDT
smtpd_tls_mandatory_protocols = TLSv1.2, !TLSv1, !TLSv1.1, !SSLv2, !SSLv3

And TLSv1.2 is only used if STARTTLS is initiated.
Comment 15 Andrej Dzilský 2016-12-08 11:47:56 EST
Works :) , well done.
Comment 18 errata-xmlrpc 2017-03-21 07:29:48 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.