What were you trying to do that didn't work?

Trying to send emails using Postfix with TLS enabled while SELinux is in enforcing mode. The tlsproxy process fails to perform TLS handshakes with remote SMTP peers due to SELinux denials, resulting in deferred emails.

What is the impact of this issue to you?

This issue prevents Postfix from successfully sending emails via TLS when SELinux is in enforcing mode.

Please provide the package NVR for which the bug is seen:

RHEL 8:
postfix-3.5.8-7.el8.x86_64
selinux-policy-targeted-3.14.3-139.el8_10.1.noarch

How reproducible is this bug?:

This bug is 100% reproducible on RHEL 8.10 and RHEL 9.5 when SELinux is in enforcing mode and Postfix is configured to use TLS.

Steps to reproduce

Install Postfix on RHEL 8.10 or RHEL 9.5.
Enable SELinux in enforcing mode
Configure Postfix to use TLS for outbound connections.

Postfix Configuration
smtp_tls_connection_reuse = yes

Postfix Master Configuration
==========================================================================

1. service type private unpriv chroot wakeup maxproc command + args
2. (yes) (yes) (no) (never) (100)
3. ==========================================================================
   smtp inet n - n - - smtpd
   tlsproxy unix - - n - 0 tlsproxy

Attempt to send an email using Postfix.
Observed the following errors in the logs:
TLS handshake failed for service=smtp.
Cannot start TLS: handshake failure.

Expected results

Postfix should be able to perform TLS handshakes and send emails without SELinux denials when correctly configured.

Actual results

Postfix fails to perform TLS handshakes due to SELinux denials, resulting in emails being deferred with the following error:

Cannot start TLS: handshake failure.
SELinux logs show denials for tlsproxy attempting to perform read and write operations on TCP sockets labeled with the postfix_smtp_t context.