On Wed, Jul 22, 2020 at 11:11:27AM -0400, Xavier Belanger wrote:
> It is, the idea is to define exception in the system crypto policy
> used by the system. There is multiple ways to do this:
>
> [
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
> ]
>
> See sections:
>
> - 3.5. Excluding an application from following system-wide crypto policies
> - 3.6. Customizing system-wide cryptographic policies with policy modifiers
> - 3.7. Creating and setting a custom system-wide cryptographic policy
>
> It's not as quick and simple as editing one configuration file,
> but this should not be too difficult to implement. The issue here
> is that this mechanism is new in Red Hat/CentOS 8 and some people may
> not be aware of it.
The plan is to soon not require Postfix users to go down that particular
rabbit hole. Instead Postfix will disable any TLS protocol lower/upper
bounds inherited from system policy, and apply its own, based on
whichever of:
lmtp_tls_protocols, lmtp_tls_mandatory_protocols,
smtp_tls_protocols, smtp_tls_mandatory_protocols,
smtpd_tls_protocols, smtpd_tls_mandatory_protocols,
tlsproxy_tls_protocols, tlsproxy_tls_mandatory_protocols
happens to be applicable. This should be possible with the
next patch level of the supported stable releases.
In Postfix 3.6, the built-in Postfix controls will be extended to
support setting upper/lower bounds, as a preferred alternative
to enumerating individual protocol versions to exclude.
--
Viktor.
