On Mon, Oct 21, 2013 at 03:30:46PM +0000, Viktor Dukhovni wrote: > On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote: > > > Oct 21 08:43:58 <hostname> postfix/smtp[5991]: CA certificate > > verification failed for mx10.unicredit.eu[62.122.80.93]:25: > > num=7:certificate signature failure > > This organization uses SHA256 signatures for their certificates, even > though these are not widely supported. The most recent patch levels > of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for > SSL/TLS. You need to upgrade to one of these, may as well be 2.10.2, but > one of the others will suffice, see http://www.postfix.org/download.html
Note, SHA256 is also enabled automatically if your OpenSSL is 1.0.0 or later. By now, you should aim to no longer use OpenSSL 0.9.8 when TLS security is required. Consider upgrading your systems to an O/S release where OpenSSL 1.0.0 or later is the default version of OpenSSL. Then you can use older versions of Postfix, but of course you'll probably end up with a more current version at the same time. OpenSSL 1.0.0 was released on 29-Mar-2010 ( https://www.openssl.org/news/ ). -- Viktor.
