Viktor Dukhovni:
> On Sun, Nov 27, 2011 at 08:56:40PM +0100, gmx Ralf Hauser wrote:
>
> > http://www.postfix.org/postconf.5.html#smtpd_tls_fingerprint_digest is a
> > great feature.
> >
> > Is there a plan to offer stronger digest algorithms such as sha256 ?
>
> Postfix supports all the algorithms enabled by the SSL library when one
> enables SSL algorithms. With OpenSSL 1.0.0 and later, this includes the
> SHA-2 family of digests. Therefore, to use these algorithms, you need
> to build Postfix a platform that uses OpenSSL 1.0.0 or later.
I have re-worded the postconf(5) text.
Wietse
> > There appear to be some regulators who prefer to go beyond sha1 - see e.g.
> > chapt 2 (p 3) of
>
> I doubt that regulators care which certificate fingerprints you
> use in your access tables. These don't go on the wire, so they just
> need to be strong enough to resist "second preimage" attacks on
> the certificate or (Postfix 2.9) public key fingerprint.
>
> --
> Viktor.
>
