This feature is available in Postfix 2.9.6 and later.
+%PARAM tls_enable_fips no + +Attempts to put OpenSSL library into FIPS 140-2 mode.
+ +If the attempt fails, Postfix will log the error code and +disable TLS support.
+ +The OpenSSL library must have been built with the FIPS Object Module, +and the FIPS Object Module must have been acquired, built, and installed +in accordance with the OpenSSL Security Policy.
+ %PARAM tlsproxy_watchdog_timeout 10sHow much time a tlsproxy(8) process may take to process local diff -uNr postfix-3.2.2/proto/TLS_README.html postfix-3.2.2-interm/proto/TLS_README.html --- postfix-3.2.2/proto/TLS_README.html 2016-12-17 23:22:04.000000000 +0000 +++ postfix-3.2.2-interm/proto/TLS_README.html 2017-09-06 16:24:12.000000000 +0100 @@ -917,6 +917,9 @@ Enabling server cipher-suite selection may create interoperability issues with Windows 2003 Microsoft Exchange clients.
+The list of available ciphers will also be affected by +tls_enable_fips.
+The smtpd_starttls_timeout parameter limits the time of Postfix @@ -2338,6 +2341,9 @@ older releases. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export".
+The list of available ciphers will also be affected by +tls_enable_fips.
+With mandatory and opportunistic TLS encryption, the Postfix SMTP client will by default disable SSLv2 and SSLv3. The mandatory TLS protocol list is specified via the diff -uNr postfix-3.2.2/src/global/mail_params.h postfix-3.2.2-interm/src/global/mail_params.h --- postfix-3.2.2/src/global/mail_params.h 2017-02-19 01:58:20.000000000 +0000 +++ postfix-3.2.2-interm/src/global/mail_params.h 2017-09-06 16:25:12.000000000 +0100 @@ -3231,6 +3231,10 @@ #define DEF_TLS_MULTI_WILDCARD 1 extern bool var_tls_multi_wildcard; +#define VAR_TLS_ENABLE_FIPS "tls_enable_fips" +#define DEF_TLS_ENABLE_FIPS 0 +extern bool var_tls_enable_fips; + /* The tweak for CVE-2010-4180 is needed in some versions prior to 1.0.1 */ /* The tweak for CVE-2005-2969 is needed in some versions prior to 1.0.0 */ #if defined(USE_TLS) && (OPENSSL_VERSION_NUMBER < 0x1000100fUL) diff -uNr postfix-3.2.2/src/smtp/smtp.c postfix-3.2.2-interm/src/smtp/smtp.c --- postfix-3.2.2/src/smtp/smtp.c 2016-12-04 19:50:52.000000000 +0000 +++ postfix-3.2.2-interm/src/smtp/smtp.c 2017-09-06 16:26:35.000000000 +0100 @@ -472,6 +472,10 @@ /* The TLS policy for MX hosts with "secure" TLSA records when the /* nexthop destination security level is \fBdane\fR, but the MX /* record was found via an "insecure" MX lookup. +/* .PP +/* Available in Postfix version 3.XXX and later: +/* .IP "\fBtls_enable_fips (no)\fR" +/* Attempts to put OpenSSL library into FIPS 140-2 mode. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi diff -uNr postfix-3.2.2/src/smtpd/smtpd.c postfix-3.2.2-interm/src/smtpd/smtpd.c --- postfix-3.2.2/src/smtpd/smtpd.c 2017-04-03 22:58:06.000000000 +0100 +++ postfix-3.2.2-interm/src/smtpd/smtpd.c 2017-09-06 16:27:10.000000000 +0100 @@ -478,6 +478,10 @@ /* .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR" /* The prioritized list of elliptic curves supported by the Postfix /* SMTP client and server. +/* .PP +/* Available in Postfix version 3.XXX and later: +/* .IP "\fBtls_enable_fips (no)\fR" +/* Attempts to put OpenSSL library into FIPS 140-2 mode. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi diff -uNr postfix-3.2.2/src/tls/tls_client.c postfix-3.2.2-interm/src/tls/tls_client.c --- postfix-3.2.2/src/tls/tls_client.c 2017-01-01 22:22:13.000000000 +0000 +++ postfix-3.2.2-interm/src/tls/tls_client.c 2017-09-06 16:28:36.000000000 +0100 @@ -295,6 +295,13 @@ tls_param_init(); /* + * Enable FIPS mode as early as possible. + */ + if(var_tls_enable_fips && (tls_enable_fips() == 0)) { + return (0); + } + + /* * Detect mismatch between compile-time headers and run-time library. */ tls_check_version(); diff -uNr postfix-3.2.2/src/tls/tls_misc.c postfix-3.2.2-interm/src/tls/tls_misc.c --- postfix-3.2.2/src/tls/tls_misc.c 2016-12-17 23:22:04.000000000 +0000 +++ postfix-3.2.2-interm/src/tls/tls_misc.c 2017-09-06 16:29:01.000000000 +0100 @@ -258,6 +258,7 @@ char *var_tls_mgr_service; char *var_tls_tkt_cipher; char *var_openssl_path; +bool var_tls_enable_fips; #ifdef VAR_TLS_PREEMPT_CLIST bool var_tls_preempt_clist; @@ -668,6 +669,7 @@ VAR_TLS_DANE_TAA_DGST, DEF_TLS_DANE_TAA_DGST, &var_tls_dane_taa_dgst, VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist, VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard, + VAR_TLS_ENABLE_FIPS, DEF_TLS_ENABLE_FIPS, &var_tls_enable_fips, 0, }; static int init_done; @@ -1288,3 +1290,23 @@ int tls_dummy_for_broken_linkers; #endif + +/* tls_enable_fips - enable openssl FIPS mode */ + +int tls_enable_fips(void) +{ + int fips_ok = 0; + + if((fips_ok = FIPS_mode_set(1)) != 1) { + msg_warn("FIPS mode initialization failed (err: %x)", ERR_get_error()); + + /* Ensure that the mode is set back to OFF */ + FIPS_mode_set(0); + fips_ok = 0; + } + else if(msg_verbose) + msg_info("FIPS mode enabled"); + + return fips_ok; +} + diff -uNr postfix-3.2.2/src/tls/tls_server.c postfix-3.2.2-interm/src/tls/tls_server.c --- postfix-3.2.2/src/tls/tls_server.c 2017-01-01 22:22:13.000000000 +0000 +++ postfix-3.2.2-interm/src/tls/tls_server.c 2017-09-06 16:28:45.000000000 +0100 @@ -373,6 +373,13 @@ tls_param_init(); /* + * Enable FIPS mode as early as possible. + */ + if(var_tls_enable_fips && (tls_enable_fips() == 0)) { + return (0); + } + + /* * Detect mismatch between compile-time headers and run-time library. */ tls_check_version();