Fix postfix TLS in the FIPS mode by switching to SHA-256 instead of MD5

By default, postfix uses MD5 hashes with the TLS for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, which may cause TLS not to work properly in the default postfix configuration. Hence, the default hashing function needs to be changed to SHA-256 in the postfix configuration file.

As root run the following commands to switch postfix from the default MD5 hashing function to SHA-256 in booth client and server:

# postconf -e smtp_tls_fingerprint_digest=sha256
# postconf -e smtpd_tls_fingerprint_digest=sha256
# systemctl restart postfix

1 Comments

KK Active Contributor 242 points

27 April 2023 12:47 AM

Kevin Keane

Excellent information, thank you. It worked like a charm!

One question that is not quite clear to me: the article says that both client and server need this modification. What if the client is a different system that may not even know FIPS mode? Will older clients without FIPS (and possibly without sha256) still be able to talk to such a FIPS/sha256 server?

Here are the common uses of Markdown.

Code blocks

~~~
Code surrounded in tildes is easier to read
~~~

Links/URLs

[Red Hat Customer Portal](https://access.redhat.com)

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Fix postfix TLS in the FIPS mode by switching to SHA-256 instead of MD5

1 Comments