On Sun, Nov 27, 2011 at 08:56:40PM +0100, gmx Ralf Hauser wrote:
> http://www.postfix.org/postconf.5.html#smtpd_tls_fingerprint_digest is a
> great feature.
>
> Is there a plan to offer stronger digest algorithms such as sha256 ?
Postfix supports all the algorithms enabled by the SSL library when one
enables SSL algorithms. With OpenSSL 1.0.0 and later, this includes the
SHA-2 family of digests. Therefore, to use these algorithms, you need
to build Postfix a platform that uses OpenSSL 1.0.0 or later.
> There appear to be some regulators who prefer to go beyond sha1 - see e.g.
> chapt 2 (p 3) of
I doubt that regulators care which certificate fingerprints you
use in your access tables. These don't go on the wire, so they just
need to be strong enough to resist "second preimage" attacks on
the certificate or (Postfix 2.9) public key fingerprint.
--
Viktor.
