Description of problem: Due to an incomplete Red Hat backport of TLSv1.2 support (via bug #1287192) into Postfix as shipped with RHEL 6, the usage of Postfix smtp_tls_policy_maps decreases TLS encryption from TLSv1.2 to TLSv1.0 (and weakens the cipher drastically). From my point of view, this is a security issue (that might even be CVE-worthy). As e-mail servers/services tempt to disable TLSv1.0 and TLSv1.1 (especially for submission) nowadys more and more, this is an issue, especially for customers targetting RHEL 6 ELS. Version-Release number of selected component (if applicable): postfix-2.6.6-8.el6.x86_64 How reproducible: Always, see below. Steps to Reproduce: 1. RHEL 6 including all updates 2. yum install postfix -y 3. echo "smtp_tls_CApath = /etc/pki/tls/certs" >> /etc/postfix/main.cf 4. echo "smtp_tls_security_level = may" >> /etc/postfix/main.cf 5. echo "smtp_tls_loglevel = 1" >> /etc/postfix/main.cf 6. /etc/init.d/postfix restart 7. echo Test | mail -s Test <somebody>@fedoraproject.org 8. sleep 5 && grep cipher /var/log/maillog | tail -n 1 -> Oct 6 09:45:29 tux postfix/smtp[21119]: Trusted TLS connection established to mx1.redhat.com[209.132.183.28]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 9. postsuper -d ALL # Clear mail queue in case we're having non-conform FcrDNS etc. and can't deliver the mail 10. echo "smtp_tls_policy_maps = hash:/etc/postfix/tls_policy" >> /etc/postfix/main.cf 11. echo "fedoraproject.org encrypt" >> /etc/postfix/tls_policy 12. postmap /etc/postfix/tls_policy 13. /etc/init.d/postfix restart 14. echo Test | mail -s Test <somebody>@fedoraproject.org 15. sleep 5 && grep cipher /var/log/maillog | tail -n 1 -> Oct 6 09:45:42 tux postfix/smtp[21576]: Trusted TLS connection established to mx1.redhat.com[209.132.183.28]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) 16. postsuper -d ALL # Clear mail queue in case we're having non-conform FcrDNS etc. and can't deliver the mail Actual results: Usage of Postfix smtp_tls_policy_maps decreases TLS encryption from TLSv1.2 to TLSv1.0 (and weakens cipher drastically). A common cipher (as per https://ssl-config.mozilla.org/) is e.g. "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256" (cipher order has been optimized to fit NCSC-NL requirements, the "Dutch NIST", but it's even the same issue with the original Mozilla "intermediate cipher" recommendation) which is satisfied by ECDHE-RSA-AES256-GCM-SHA384 (without smtp_tls_policy_maps), but NOT by ECDHE-RSA-AES256-SHA (with smtp_tls_policy_maps). Expected results: TLSv1.2 and strong cipher even with usage of Postfix smtp_tls_policy_maps.
Cross-filed case 02770036 at the Red Hat customer portal.
It's not related to the smtp_tls_policy_maps, but to the defaults for the mandatory "TLS security level", i.e. if the smtp_tls_security_level is set to the "encrypt", the result will be the same even without the smtp_tls_policy_maps. The defaults can be overridden in the /etc/postfix/main.cf configuration file, e.g.: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 It's because DEF_SMTP_TLS_PROTO and DEF_SMTP_TLS_MAND_PROTO differs in the sources, I think it shouldn't differ. The following is in the vanilla sources: #define DEF_SMTP_TLS_PROTO "!SSLv2" #define DEF_SMTP_TLS_MAND_PROTO "SSLv3, TLSv1" Both defaults aren't good according to today's standards, but I think we shouldn't change the defaults for the product near the end of the Maintenance Support 2. Just documenting it should be enough.
The workaround is unfortunately not suitable for the (common) situation to allow opportunistic TLS >= v1.0 for general outbound e-mail while using additionally mandatory TLS via smtp_tls_policy_maps for specific targets where the target requests at least TLSv1.2.
(In reply to Robert Scheck from comment #5) > The workaround is unfortunately not suitable for the (common) situation to > allow opportunistic TLS >= v1.0 for general outbound e-mail while using > additionally mandatory TLS via smtp_tls_policy_maps for specific targets > where the target requests at least TLSv1.2. Could you please elaborate? AFAIK there is 'smtp_tls_protocols' configuration option for the opportunistic TLS and 'smtp_tls_mandatory_protocols' for the mandatory TLS, i.e. both defaults should be overridable.
Unfortunately, real-world scenarios are more complex as the tiny specific reproducer above. The 'smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1' only works, if all mandatory TLS destinations (there are multiple) provide TLSv1.2 support. If this issue really gets a documentation-only thing, then the preferred solution should be to document to set 'smtp_tls_mandatory_protocols = !SSLv2' in order to match a) the defaults of RHEL 7 and because b) it's a less invasive configuration change that still leads to the same result. My personal preference is however 's/#define DEF_SMTP_TLS_MAND_PROTO "SSLv3, TLSv1"/#define DEF_SMTP_TLS_MAND_PROTO "!SSLv2"/' in the source code to do the right thing with a Postfix RPM package update by default.