openssl3+postfix issue (ca md too weak)

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

Hello
I'm facing an issue with postfix+openssl3 which may be critical (depending
on how it can be fixed).

Now my postfix setup fails to send mails with
Nov 13 20:20:53 comore postfix/smtp[6449]: warning: TLS library problem: error:0A00018E:SSL routines::ca md too weak:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c:984:

From what I understood, this is the remote certificate which is not accepted:
openssl 3 deprecated some signature algorithm, which are no longer accepted
with @SECLEVEL=1 (which is the default).
In server's certificate chain all but the last one are signed with
sha384WithRSAEncryption (which should be OK). The last one (the root
certificate) is signed with RSA-SHA1 and I don't think this will change
soon:
 3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = A
 AA Certificate Services
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = A
 AA Certificate Services
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
   v:NotBefore: Jan  1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 2028 GMT

So, as far as I understand, we end up with a postfix installation which
can't talk to servers with valid certificates.

The solution (from google) would be to force @SECLEVEL=0 but I didn't find
a way to do this for postfix. The solutions I've seen were for openvpn or
curl, but nothing about postfix :(

Any idea ?

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--