On 15.08.2017 19:12, Viktor Dukhovni wrote: > The supported digest names/algorithms are a feature of the underlying > OpenSSL library, Postfix just passes the specified name to > EVP_get_digestbyname(3).
Fair enough. It might be worth mentioning this in the Postfix docs. > In the absence of any realistic 2nd-preimage attacks on even MD5, > let alone SHA1, it is I believe still safe to use SHA1 as the > fingerprint digest. I agree, and I am not worried about SHA1 at this point. Still, if better digests are available simply by configuring a different algorithm name via smtpd_tls_fingerprint_digest, I'm all for using one of them. -Ralph
