I don't even know whether RedHat exposes any mechanisms for applications> to opt-out
of crypto policy and use only application-driven OpenSSL> configuration. This is
should perhaps be looked into in the Postfix 3.9> timeframe.
from my notes dealing with new Fedora crypto-policies on a number of other
issues
RedHat provides system-wide policy overrides
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-wide-crypto-policy-to-mode-compatible-with-previous-systems_using-the-system-wide-cryptographic-policies
&
https://redhatgov.io/workshops/rhel_8/exercise1.5/
https://access.redhat.com/articles/3666211
https://access.redhat.com/articles/3642912
general guidance on customizing policy
https://www.redhat.com/en/blog/how-customize-crypto-policies-rhel-82
Oracle also has a good writeup
https://docs.oracle.com/en/operating-systems/oracle-linux/8/security/security-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypto-policies
note there's option to set per-application policies
https://www.systutorials.com/docs/linux/man/8-update-crypto-policies/#lbAF
with tool help
https://gitlab.com/redhat-crypto/fedora-crypto-policies#user-content-generating-the-policies
"...
To generate the policies per application use the script
python/build-crypto-policies.py policydir DESTDIR
..."
some apps allow exclusion at launch
https://computingforgeeks.com/configure-system-wide-cryptographic-policies/
"...
#4. Excluding an application from system-wide crypto policies
..."
for Postfix specifically, there was old discussion re: Postfix ignoring policy
Re: postfix 3.5.4 centos 8 hardcoded crypto settings?
https://marc.info/?l=postfix-users&m=159543275820835&w=2
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
