rhel 9.7: Postfix on FIPS RHEL servers can no longer perform TLS handshakes after upgrade to RHEL to 9.7

Issue

• After upgrading to RHEL 9.7, postfix on FIPS-hardened servers cannot properly perform TLS handshakes. Both our mail client and mail server are FIPS-hardened and running RHEL 9.7 (identical versions of Postfix and OpenSSL). The culprit seems to be the fact that Postfix was compiled with 3.2.0 headers, but OpenSSL was upgraded to 3.5.0 in RHEL 9.7. Mail worked fine prior to the 9.6-to-9.7 upgrade. The issue occurs every time the Postfix mail client contacts the Postfix mail server to establish a TLS connection. Again, all this worked in RHEL9.6; it was only after upgrading both servers to RHEL 9.7 that the issue started.
• After updating the latest release of openssl for RHEL 9.7, All TLS connections within Postfix fail, giving error:

warning: TLS library problem: error:0A000438:SSL routings::tlsv1 alert internal error:ssl/record/rec_layer_s3.c:916:SSL alert number 80: Lost connection after START TLS

System had no issues prior to most recent update and confirmed a downgrade to openssl-3.2.2-6 resolves the issue, but STIG requires systems be updated to latest available. Appears no available postfix package from RHEL has been compiled with links to updated openssl, leaving any STIG compliant RHEL9 system in a non-compliant state with either TLS disabled for all postfix mail, or with outdated packages.

• We updated RHEL9.6 system to RHEL 9.7, afterwards all outbound mail through Postfix involving TLS fails with compatibility error:

time hostname postfix/smtp[68953]: warning: run-time library vs. compile-time header version mismatch: OpenSSL 3.5.0 may not be compatible with OpenSSL 3.2.0 

This is resulting in SSL_connect error and preventing outbound mail.