Hello guys,
This is my first email on the list, so I hope it doesn't break any rule :)
I've been playing around with my postfix logs to evaluate the percentage
of MTA that are using STARTTLS when sending me emails.
The result is pretty interesting, because some MTA are using TLS, but not
all the time. It appears that the MTA will start the TLS connection once in
a while, and the rest of the time it won't (the opposite works too ;) ).
I suppose it's just me who is not understanding something properly...
sorry for the noise, but if somebody could explain :)
Here is an example with a mailing list server:
First log:
------
Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: initializing the server-side
TLS engine
Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: connect from
<MAILING_LIST_MTA>[1.2.3.4]
------
We clearly see the initialization of the TLS connection. But the day
before, the log was different :
------
Aug 21 12:05:37 zerhuel cyrus/imaps[10051]: open: user XXXXXX opened INBOX
Aug 21 12:05:41 zerhuel postfix/smtpd[10055]: connect from
<MAILING_LIST_MTA>[1.2.3.4]
Aug 21 12:05:41 zerhuel postgrey[3113]: action=pass, reason=triplet found,
client_name=<MAILING_LIST_MTA>, client_addres
s=1.2.3.4,
sender=<MAILINGLIST>+bounces-3062-julien=linuxwall.info@<MAILINGLIST>.org,
recipient=jul...@linuxwall.info
------
No TLS initialization here. And I don't think this is a TLS cache issue,
because at some other times, I see very close connections that both perform
the TLS initialization :
first one :
-----
Aug 21 06:18:03 zerhuel postfix/smtpd[26217]: initializing the server-side
TLS engine
Aug 21 06:18:04 zerhuel postfix/smtpd[26217]: connect from
<MAILING_LIST_MTA>[1.2.3.4]
-----
second one :
-----
Aug 21 06:23:51 zerhuel postfix/smtpd[26478]: initializing the server-side
TLS engine
Aug 21 06:23:51 zerhuel postfix/smtpd[26478]: connect from
<MAILING_LIST_MTA>[1.2.3.4]
-----
I see this behavior in, at least, 30 MTAs in my logs (within a week) on a
total of about 220.
I run a pretty small infrastructure with two servers running Postfix
2.5.5-1.1 on Debian Lenny.
My SMTPD TLS configuration is :
------
smtpd_tls_CAfile = <xxxxx>
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = <xxxxx>
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = <xxxxx>
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:<xxxxx>
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
------
Any idea of what this is due to ?
Best,
Julien
--
http://jve.linuxwall.info/blog
