How can I run Postfix in FIPS-140 compliant mode on RHEL?
How can I run Postfix in FIPS-140 compliant mode on RHEL 6 or 7?
Is it enough to put the kernel into enforcing mode as described here https://access.redhat.com/solutions/137833, or do I need to modify Postfix too?
Or does the Red Hat Postfix distribution include the modifications to make it run in FIPS mode?
Thanks for your help,
Rob Maidment
Responses
Red Hat
Guru
3719 points
Hi Rob. Postfix is super-flexible. The measure of how complicated it will be to get working in FIPS mode will entirely depend on how you're using it. E.g., postfix out of the box in RHEL6 and RHEL7 (for local only) won't need any special considerations (neither would a basic mail server); however, you could start running into issues once you start adding encryption (see Postfix TLS Support).
I don't run any production mail servers and haven't ever a had a FIPS + postfix case here in support; however, if you stick to basic common-sense rules (use modern certs + keys; for bonus points, generate them on FIPS systems), I doubt you'll run into trouble. That said it's entirely possible some postfix config changes will be required too. Keep us posted if you need assistance.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.