Fix postfix TLS in the FIPS mode by switching to SHA-256 instead of MD5

Updated -

By default, postfix uses MD5 hashes with the TLS for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, which may cause TLS not to work properly in the default postfix configuration. Hence, the default hashing function needs to be changed to SHA-256 in the postfix configuration file.

As root run the following commands to switch postfix from the default MD5 hashing function to SHA-256 in booth client and server:

# postconf -e smtp_tls_fingerprint_digest=sha256
# postconf -e smtpd_tls_fingerprint_digest=sha256
# systemctl restart postfix


Excellent information, thank you. It worked like a charm!

One question that is not quite clear to me: the article says that both client and server need this modification. What if the client is a different system that may not even know FIPS mode? Will older clients without FIPS (and possibly without sha256) still be able to talk to such a FIPS/sha256 server?