Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-77615

In RHEL 9 Postfix does not adhere to system-wide crypto policies set via update-crypto-policies.

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-9.5.z
    • postfix
    • None
    • No
    • Low
    • rhel-net-perf
    • ssg_core_services
    • 5
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      After setting the system-wide crypto policy using "update-crypto-policies --set DEFAULT", it was observed that Postfix still allows TLS 1.0 and 1.1 connections unless explicitly configured in its main.cf file. This behavior suggests that Postfix uses its own upstream defaults rather than referring to the system's crypto policies.

      What is the impact of this issue to you?

      Postfix not following system-wide crypto policies means that system administrators cannot rely on a single, consistent configuration for cryptographic protocols and ciphers across all services.
      This creates a potential security risk, as weaker protocols (like TLS 1.0/1.1) or insecure ciphers might remain enabled in Postfix, even if they are disabled globally via update-crypto-policies.

      Please provide the package NVR for which the bug is seen:

      postfix-3.5.25-1.el9.x86_64
      crypto-policies-20240828-2.git626aa59.el9_5.noarch
      crypto-policies-scripts-20240828-2.git626aa59.el9_5.noarch

      How reproducible is this bug?:

      1. cat /etc/redhat-release
        Red Hat Enterprise Linux release 9.5 (Plow)

      Install :
      postfix-3.5.25-1.el9.x86_64

      1. update-crypto-policies --show
        DEFAULT
      1. cat /etc/crypto-policies/state/CURRENT.pol |egrep -i tls
        cipher@gnutls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
        protocol@gnutls = TLS1.3 TLS1.2 DTLS1.2
        cipher@java-tls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
        protocol@java-tls = TLS1.3 TLS1.2 DTLS1.2
        protocol@nss = TLS1.3 TLS1.2 DTLS1.2
        protocol@openssl = TLS1.3 TLS1.2 DTLS1.2
      1. netstat -antple |egrep -w 'master'
        tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 46810 10890/master
        tcp6 0 0 ::1:25 :::* LISTEN 0 46812 10890/master
      1. nmap --script ssl-enum-ciphers -p 25 localhost | grep "TLSv"
        TLSv1.0:
        TLSv1.1:
        TLSv1.2:
        TLSv1.3:

      Steps to reproduce

      1. Set the system-wide crypto policy: "update-crypto-policies --set DEFAULT".
      2. Check the active policy: "update-crypto-policies --show" (output: DEFAULT).
      3. Test Postfix's supported TLS versions using tools like "openssl s_client" or "nmap".
      4. Observe that Postfix still supports TLS 1.0/1.1 unless explicitly disabled in main.cf.

      Expected results

      Postfix should adhere to the system-wide crypto policies and disable protocols/ciphers that are disallowed by the active policy.

      Actual results

      Postfix does not adhere to the system-wide crypto policies and requires manual configuration in main.cf to enforce them.

              jskarvad Jaroslav Škarvada
              rhn-support-gpayelka Ganesh Payelkar
              Jaroslav Škarvada Jaroslav Škarvada
              Robin Hack Robin Hack
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: