On Wed, Feb 04, 2015 at 10:34:47AM +0100, Tobias Reckhard wrote:
> It's postfix-2.8.5 or, to be more precise, postfix-2.8.5-2~build0.10.04,
> and, as you assume, linked OpenSSL 0.9.8. I guess I'll have to relax the
> TLS policy for this domain until we can upgrade the system.
If security to that site is important, you could use "fingerprint"
by verifying their cert chain off-line and configuring static
fingerprints on your side. But, this would have to be a short-term
measure giving you time to upgrade to a more capable Postfix. The
static fingerprints would have to be changed in sync any future update
of their leaf certificates by the peer.
--
Viktor.
