Update fingerprint digest documentation

diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index f8595a4e046496f4e4aeafd6f92ef7486cfb2f49..7d6eeeb846440ca9e9a69a652c47fcf7c10eae6d 100644 (file)
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -12191,17 +12191,16 @@ certificate (or public/private key-pair) that has the same fingerprint. </p>
 
 <p> The default algorithm is <b>md5</b>; this is consistent with
 the backwards compatible setting of the digest used to verify client
-certificates in the SMTP server. </p>
+certificates in the SMTP server. Any other digest algorithm supported
+by your OpenSSL library (and enabled via OpenSSL_add_ssl_algorithms())
+may be used instead. See the manpage for the OpenSSL "dgst" command for
+the list of implemented algorithms. </p>
 
-<p> The best practice algorithm is now <b>sha1</b>. Recent advances in hash
-function cryptanalysis have led to md5 being deprecated in favor of sha1.
-However, as long as there are no known "second pre-image" attacks
-against md5, its use in this context can still be considered safe.
-</p>
-
-<p> While additional digest algorithms are often available with OpenSSL's
-libcrypto, only those used by libssl in SSL cipher suites are available to
-Postfix. For now this means just md5 or sha1. </p>
+<p> Advances in hash function cryptanalysis have led to MD5 being
+deprecated in favor of SHA1 and more recently SHA2 (i.e. SHA224, SHA256,
+SHA384 and SHA512).  However, as long as there are no known "second
+pre-image" attacks against MD5, its use in this context can still be
+considered safe.  </p>
 
 <p> To find the fingerprint of a specific certificate file, with a
 specific digest algorithm, run:
@@ -12342,21 +12341,21 @@ configuration parameter.  See there for details. </p>
 %PARAM smtpd_tls_fingerprint_digest md5
 
 <p> The message digest algorithm to construct remote SMTP
-client-certificate
-fingerprints or public key fingerprints (Postfix 2.9 and later)
-for <b>check_ccert_access</b> and <b>permit_tls_clientcerts</b>. The
-default algorithm is <b>md5</b>, for backwards compatibility with Postfix
-releases prior to 2.5.  </p>
-
-<p> Advances in hash
-function cryptanalysis have led to md5 being deprecated in favor of sha1.
-However, as long as there are no known "second pre-image" attacks
-against md5, its use in this context can still be considered safe.
-</p>
-
-<p> While additional digest algorithms are often available with OpenSSL's
-libcrypto, only those used by libssl in SSL cipher suites are available to
-Postfix. </p>
+client-certificate fingerprints or public key fingerprints
+(Postfix 2.9 and later) for <b>check_ccert_access</b> and
+<b>permit_tls_clientcerts</b>. The default algorithm is <b>md5</b>,
+for backwards compatibility with Postfix releases prior to 2.5.  </p>
+
+<p> Any other digest algorithm supported by your OpenSSL library (and
+enabled via OpenSSL_add_ssl_algorithms()) may be used instead. See
+the manpage for the OpenSSL "dgst" command for the list of implemented
+algorithms. </p>
+
+<p> Advances in hash function cryptanalysis have led to MD5 being
+deprecated in favor of SHA1 and more recently SHA2 (i.e. SHA224, SHA256,
+SHA384 and SHA512).  However, as long as there are no known "second
+pre-image" attacks against MD5, its use in this context can still be
+considered safe.  </p>
 
 <p> To find the fingerprint of a specific certificate file, with a
 specific digest algorithm, run: </p>