On Sun, Nov 27, 2011 at 08:56:40PM +0100, gmx Ralf Hauser wrote: > http://www.postfix.org/postconf.5.html#smtpd_tls_fingerprint_digest is a > great feature. > > Is there a plan to offer stronger digest algorithms such as sha256 ?
Postfix supports all the algorithms enabled by the SSL library when one enables SSL algorithms. With OpenSSL 1.0.0 and later, this includes the SHA-2 family of digests. Therefore, to use these algorithms, you need to build Postfix a platform that uses OpenSSL 1.0.0 or later. > There appear to be some regulators who prefer to go beyond sha1 - see e.g. > chapt 2 (p 3) of I doubt that regulators care which certificate fingerprints you use in your access tables. These don't go on the wire, so they just need to be strong enough to resist "second preimage" attacks on the certificate or (Postfix 2.9) public key fingerprint. -- Viktor.