RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1905484 - backport TLS 1.3 support to postfix 3.3.1 as provided in 3.3.2
Summary: backport TLS 1.3 support to postfix 3.3.1 as provided in 3.3.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: postfix
Version: 8.1
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: 8.0
Assignee: Jaroslav Škarvada
QA Contact: Patrik Moško
URL:
Whiteboard:
Depends On:
Blocks: 1919233 1919234 1919235
TreeView+ depends on / blocked
 
Reported: 2020-12-08 13:17 UTC by Johannes Scheiber
Modified: 2024-06-13 23:39 UTC (History)
7 users (show)

Fixed In Version: postfix-3.5.8-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1919233 1919234 1919235 (view as bug list)
Environment:
Last Closed: 2021-05-18 15:03:43 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Proposed fix (4.49 KB, patch)
2021-01-14 00:14 UTC, Jaroslav Škarvada 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:1664 0 None None None 2021-05-18 15:03:54 UTC

Description Johannes Scheiber 2020-12-08 13:17:00 UTC 
1. Proposed title of this feature request
  - TLS 1.3 support on postfix 3.3.1
2. What is the nature and description of the request?
  - Customers relying on the latest certified RHEL version for SAP HANA cannot use TLSv1.3 to be compliant to high security standards and needs.

3. Why does the customer need this? (List the business requirements here)
  - RHEL 8.1 currently is the latest RHEL version officially certified for SAP HANA
  - RHEL 8.2 will be the upcoming version certified by SAP <- this will still lag behind
  - RHEL 8.0 through 8.3 have postfix 3.3.1
  - Postfix 3.3.1 does not feature full TLSv1.3 integration as provided in postfix 3.3.2
  - TLSv1.3 is a security feature required by customers to be compliant

4. How would the customer like to achieve this? (List the functional requirements here)
  4.1 assumebly have this bugzilla backported to 3.3.1
        https://bugzilla.redhat.com/show_bug.cgi?id=1688389
  4.2 backport a postfix >= 3.3.2 to RHEl 8.1 and 8.2 to EUS/E4S

5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

The issue is that the remote endpoint which is the SES FIPS server, it has an issue whereby a connection with TLSv1.3 will get dropped with an invalid MAC.

The problem is that Postfix 3.3.1 which is included with RHEL 8.1 does not support the `!TLSv1.3` setting, this was added in Postfix 3.3.2: See http://www.postfix.org/postconf.5.html#smtp_tls_mandatory_protocols

At which point the following configuration will work:

```
smtp_tls_security_level = encrypt
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
smtp_tls_note_starttls_offer = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
relayhost = [fips-smtp.example.com]:587
smtp_sasl_auth_enable = yes
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 !TLSv1.3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 !TLSv1.3
smtp_use_tls = yes
```

This issue is visible with this command:
  $ openssl s_client -connect fips-smtp.example.com:587 -starttls smtp -cipher 'AES256-SHA256' -no_ssl3 -no_tls1 -no_tls1_1
  Result: It immediately hangs up the connection. 

TLSv1.3 is disabled:
  $ openssl s_client -connect fips-smtp.example.com:587 -starttls smtp -cipher 'AES256-SHA256' -no_ssl3 -no_tls1 -no_tls1_1 -no_tls1_3
  Result: the issue goes away 

The Postfix configuration for 3.3.1 does not currently expose a way to do this, so the patch that fixes this which is available in Postfix 3.3.2 would need to get back ported to RHEL 8.2 Postfix 3.3.1 or Postfix needs to be upgraded to Postfix 3.3.2


6. Is there already an existing RFE upstream or in Red Hat Bugzilla?
       RFE for RHEL 8.2 https://bugzilla.redhat.com/show_bug.cgi?id=1688389

7. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
      RHEL 8.1 for SAP solutions
      RHEL 8.2 for SAP solutions

8. Is the sales team involved in this request and do they have any additional input?
   no

9. List any affected packages or components.
    - postfix 3.3.1

10. Would the customer be able to assist in testing this functionality if implemented?
   yes
Comment 2 Jaroslav Škarvada 2020-12-08 15:40:21 UTC 
Hi Johannes, it is already covered by approved and already finished (but not yet released) rebase to postfix-3.5.8-1.el8. See bug 1688389 for details. I will close this request as a dupe of bug 1688389.
Comment 4 Jaroslav Škarvada 2020-12-08 15:45:31 UTC 

*** This bug has been marked as a duplicate of bug 1688389 ***
Comment 11 Jaroslav Škarvada 2021-01-14 00:14:26 UTC 
Created attachment 1747238 [details]
Proposed fix

The backport should be safe.
Comment 39 errata-xmlrpc 2021-05-18 15:03:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (postfix bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1664
Note You need to log in before you can comment on or make changes to this bug.