http://bugzilla.opensuse.org/show_bug.cgi?id=1088406 http://bugzilla.opensuse.org/show_bug.cgi?id=1088406#c2 --- Comment #2 from Joe Morris --- I've figured out, by testing, that this was causing an issue almost 1 1/2 years ago where my postfix smtp client could not connect to my smarthost via tls because it was rejecting the md5 signed certificate. I changed the default_md to sha512, and also the default_bits from 1024 to 4096. I can now set POSTFIX_SMTP_TLS_CLIENT to must, which sets smtp_use_tls=yes and smtp_enforce_tls=yes, which I could not set with the former certificate. So it affects both smtp and smtpd. config.postfix still works well, but changes need to be made to openssl_postfix.conf.in. From my research, default_md of sha512 is as high as openssl 1.2 will go, openssl list --digest-commands blake2b512 blake2s256 gost md4 md5 mdc2 rmd160 sha1 sha224 sha256 sha384 sha512 though setting it to default uses the openssl default, which currently is sha256. I set default bits to 4096 just to increase the security, and the new certificate is working very well. Even Outlook will now offer and allow the new certificate to be permanently stored in the Trusted Root Certificate Store, which would not work before. I think this very minor change (in changes) produces a more secure and functional postfix out of the box. Not sure what would be the best changes (i.e. setting default_md to sha256, or sha512, or default, so it uses the default with whatever openssl version is installed), and the default_bits setting, so I could provide a patch, but the changes are minimal (but the results for me are huge). -- You are receiving this mail because: You are on the CC list for the bug.