Postfix TLS Handshake Failures with smtp_tls_connection_reuse Enabled in SELinux Enforcing Mode
Issue
-
TLS handshake failures occur when
smtp_tls_connection_reuse = yesis enabled in Postfix. -
The following log entries were observed in
/var/log/maillogduring the troubleshooting process:Jan 30 10:08:45 postfix.server.com postfix/tlsproxy[10678]: TLS handshake failed for service=smtp peer=[1.2.3.4]:25 Jan 30 10:08:45 postfix.server.com postfix/tlsproxy[10678]: DISCONNECT [1.2.3.4]:25 Jan 30 10:08:45 postfix.server.com postfix/smtp[10677]: D41F72801E3A: to=<user@example.com>, relay=smtp.example.com[2.2.2.2]:25, delay=1.2, delays=0.04/0/1.2/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure) -
Additionally, the following SELinux AVC denials were identified as relevant:
type=AVC msg=audit(01/27/2025 20:50:38.807:98) : avc: denied { read write } for pid=1522 comm=tlsproxy path=socket:[26188] dev="sockfs" ino=26188 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(01/27/2025 20:50:38.818:99) : avc: denied { setopt } for pid=1522 comm=tlsproxy laddr=1.2.3.4 lport=34262 faddr=2.2.2.2 fport=25 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=tcp_socket permissive=1
Environment
- Red Hat Enterprise Linux
- Postfix
- SELinux
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
