> On Sun, Nov 27, 2011 at 08:56:40PM +0100, gmx Ralf Hauser wrote:
> > http://www.postfix.org/postconf.5.html#smtpd_tls_fingerprint_digest is a
> > great feature.
> > Is there a plan to offer stronger digest algorithms such as sha256 ?
> Postfix supports all the algorithms enabled by the SSL library when one
> enables SSL algorithms. With OpenSSL 1.0.0 and later, this includes the
> SHA-2 family of digests. Therefore, to use these algorithms, you need
> to build Postfix a platform that uses OpenSSL 1.0.0 or later.
I have re-worded the postconf(5) text.
> > There appear to be some regulators who prefer to go beyond sha1 - see e.g.
> > chapt 2 (p 3) of
> I doubt that regulators care which certificate fingerprints you
> use in your access tables. These don't go on the wire, so they just
> need to be strong enough to resist "second preimage" attacks on
> the certificate or (Postfix 2.9) public key fingerprint.