This issue was found after upgrading a AlmaLinux 9.6 system to 9.7, but strongly assuming this is also affecting RHEL 9.7

1. rpm -q selinux-policy selinux-policy-targeted
   selinux-policy-38.1.53-5.el9_6.noarch
   selinux-policy-targeted-38.1.53-5.el9_6.noarch

1. rpm -q selinux-policy selinux-policy-targeted
   selinux-policy-38.1.65-1.el9.noarch
   selinux-policy-targeted-38.1.65-1.el9.noarch

Results in missing

#============= postfix_smtp_t ==============
allow postfix_smtp_t postfix_master_t:tcp_socket setopt;

Major postfix configurations from default:

main.cf

inet_interfaces = all
postscreen_bare_newline_enable = yes -> this triggers tlsproxy

master.cf -> enable tlsproxy

-smtp      inet  n       -       n       -       -       smtpd
-#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass         -       n       -       -       smtpd
#dnsblog   unix         -       n       -       0       dnsblog
#tlsproxy  unix         -       n       -       0       tlsproxy
+#smtp      inet  n       -       n       -       -       smtpd
+smtp      inet  n       -       n       -       1       postscreen
+smtpd     pass  -       -       n       -       -       smtpd
+dnsblog   unix  -       -       n       -       0       dnsblog
+tlsproxy  unix  -       -       n       -       0       tlsproxy

Result: STARTTLS connections on port 25 are no longer working from outside

Indication on a test client:

sleep 1 | openssl s_client -starttls smtp  $SERVER:25
Connecting to 192.168.1.130
CONNECTED(00000003)
00130E77AE7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:696:

On server side following is shown in log

postfix/tlsproxy[526995]: warning: tlsp_get_fd_event: receive remote SMTP peer file descriptor: Success 

Temporary changing SELinux to permissive shows missing policy extension shown above.