Am 02.10.2014 um 13:48 schrieb Per Thorsheim: > Mozilla and others have reported on old web clients that doesn't support > the use of new SHA-256 signed SSL certificates on websites. In a recent > thread at Mozilla > https://bugzilla.mozilla.org/show_bug.cgi?id=1064387#c6, there's a > reference to Qualys: > > "At this time, a site could use two certificates: ECDSA+SHA256 for > modern clients and RSA+SHA1 for older clients." > https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know > A feature supported by Apache at least. > > Is this something Postfix can do as well for STARTTLS support? > > Eventually any other ideas or experiences with using SHA-256 > certificates that have caused problems for STARTTLS, or ex. appliances > that doesn't support it?
the expirience with a RSA4096/SHA256 certificate over the last month is no complaints at all from 1500 mail users if the TLS handshake fails the client should fall back to plain and in case of 10 years old unmaintained clients i make for sure no compromises to give them some sort of encryption and weaken it for the rest of the world
