On Mon, May 08, 2023 at 04:22:29PM -0500, E R via Postfix-users wrote:
> Thank you so much for the suggestion to review the crypto setting as this
> indeed a RedHat based distribution. I confirmed it is set to "default"
> which means “The default system-wide cryptographic policy level offers
> secure settings for current threat models. It allows the TLS 1.2 and 1.3
> protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and
> Diffie-Hellman parameters are accepted if they are at least 2048 bits long.”
Right, but the meaning of "DEFAULT" (e.g., whether SHA-1 signatures are
accepted in certificates and TLS messages) may vary from release to
release. In Fedora 36 default allows SHA-1 signatures, but I've seen
documentation that suggests that in RHEL the default policy is more
strict.
You should be able to set your policy to allow SHA1:
# update-crypto-policies --set DEFAULT:SHA1
(no need to reboot, Postfix processes that use OpenSSL are not
long-lived).
> The [I assume client] system in question was located and is an older
> than dirt system running a LONG obsolete version of Gentoo. My best
> guess is that the system was accidentally powered on during a
> generator test due to a former employee not properly decommissioning
> the system many years ago. The configuration change that I wrote
> about (disabling the STARTTLS keyword for the IP address) did allow my
> Postfix gateways to route email without any issue. I am going to
> guess the age or configuration of the system is to blame. I have
> started the official process to pull the plug on the server so it can
> be wiped and recycled.
The system was very likely using TLS 1.0, and had no support for TLS 1.2
or later, so yes, quite old by now.
You may still consider whether disabling SHA1 signatures is really the
right policy for an MTA. If you've never seen that error message in
your logs apart from the client in questions, perhaps the default is
good enough. Otherwise, enabling SHA1 will in practice be fine, and
enable some legacy systems to establish TLS connections that would
otherwise have to fall back to cleartext (or fail to deliver mail).
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
