With postfix installed using default settings (just dnf install postfix), then as per:

nmap -sV --script ssl-enum-ciphers -p 25 localhost 

we see it happily accepts TLS 1.0/1.1.

This does not really line up with RedHat statement here:

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/securing_networks/planning-and-implementing-tls_securing-networks

or does it?

Seems like RHEL8/9 is affected.

I think that postfix does not use any backends configured by the update-crypto-policies tool mentioned in the document above.

I think it would be fair to either:

• update man page for update-crypto-policies mentioning postfix ignores these settings
• update postfix to use GnuTLS library

Either case we would expect TLS1.0/1.1 is blocked by default - as of now, we need to disable it manually by:

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 

in main.cf