On Mon, Mar 22, 2010 at 10:08:31PM +0100, Richard van den Berg wrote: > On 22-3-10 22:06 , Richard van den Berg wrote: >> Apparently postfix does not call SSL_library_init() / >> OpenSSL_add_ssl_algorithms(), see >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573748 and >> http://marc.info/?l=openssl-dev&m=126925010314573&w=2 > > Correction: postfix doesn't call OpenSSL_add_all_algorithms().
None of this is relevant. On Mon, Mar 22, 2010 at 10:06:51PM +0100, Richard van den Berg wrote: > On 15-3-10 16:49 , Quanah Gibson-Mount wrote: >> We use self-signed certs with Postfix, and StartTLS on port 25 works just >> fine. Postfix is linked against OpenSSL 0.9.8m for us. >> > > Is the signature algorithm of your cert sha256WithRSAEncryption ? It looks > like there is a bug in postfix where this algorithm is no longer supported > when 0.9.8m is used. Apparently postfix does not call SSL_library_init() / > OpenSSL_add_ssl_algorithms(), see > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573748 and > http://marc.info/?l=openssl-dev&m=126925010314573&w=2 OpenSSL does not support TLS 1.2. Prior to TLS 1.2, certificates that use SHA-2 are not valid. This is unlikely to be the problem in this thread, but if it is, the solution is to not use SHA-2 certs with SSL. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.