On 14/11/23 10:56, Joerg Sonnenberger wrote:
NIST has been sunsetting SHA1 for a long time, 2016 in fact. In many cases, there is a better trust chain for Comodo intermediary certificates and admins should be installing those.
I'm not sure that's what Comodo has, even though it is the normal way of doing things.
I found a Comodo web page that said SHA1 will be fine, so don't worry, and if you are worried, you can buy a different certificate. That same web page's link to their intermediate certificates is a dead link. Comodo does not fill me with confidence.
I'm going to guess that the default @SECLEVEL of openssl needs to be adjusted if there is no Postfix specific way to adjust it. Apparently you can set the environment variable OPENSSL_CONF to run with a custom openssl configuration which can avoid reducing the security level of the rest of your system. Searching for "openssl @SECLEVEL" gave me the usual levels of StackExchange clarity, so ymmv.
Cheers, Lloyd