On Sat, Aug 28, 2010 at 07:02:48PM +0200, martin f krafft wrote:
> We are using $smtp_tls_policy_maps, in addition to
This is a feature of the Postfix SMTP *client*, that sends mail to
remote sites.
> Due to some issues we've been having[0], I would like to have a more
> permanent means of confirmation that everything is in order.
> Specifically, I would like to see in the logs when a security policy
> was matched and applied. No matter how high I set
The security policy is indirectly logged when certificate matching
(fingerprint, verify or secure) is required, since the destination
will be logged as "Verified".
2010-08-30T09:58:09-04:00 amnesiac postfix/smtp[8804]:
Verified TLS connection established to
cluster12.us.messagelabs.com[85.158.136.227]:25:
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
while for destinations with opportunistic TLS or mandatory encryption
without authentication, you see:
2010-08-30T09:59:04-04:00 amnesiac postfix-out/smtp[8758]:
Trusted TLS connection established to
cluster8.us.messagelabs.com[216.82.241.83]:25:
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Is it possible to configure postfix to log when it applies
> a security policy?
The policy can be rather long, perhaps you just want to
log the resulting security level, or do you want the nexthop
lookup key? It may be possible to tweak the above log entry,
to include the desired security level...
> Is it possible to have postfix add this information to the received
> header? Would this be something worthwhile?
Received headers are a feature of the Postfix SMTP server, that
receives mail *from* remote destinations, so clearly the answer
is: NO.
--
Viktor.
