also sprach Wietse Venema <wie...@porcupine.org> [2010.08.28.2324 +0200]: > > Due to some issues we've been having[0], I would like to have a more > > permanent means of confirmation that everything is in order. > > Specifically, I would like to see in the logs when a security policy > > was matched and applied. No matter how high I set > > Turn on -v verbose logging.
Indeed, this produces, e.g. in this test case: postfix/smtp[9743]: global TLS level: may postfix/smtp[9743]: maps_find: smtp_tls_policy_maps: hash:/etc/postfix/tls_policy(0,lock|fold_fix): madduck.net = secure match=.mx.madduck.net postfix/smtp[9743]: effective TLS level: secure but it also produces a *slew* of other information, which drowns the logs. also sprach Victor Duchovni <victor.ducho...@morganstanley.com> [2010.08.30.1604 +0200]: > > Due to some issues we've been having[0], I would like to have a more > > permanent means of confirmation that everything is in order. > > Specifically, I would like to see in the logs when a security policy > > was matched and applied. No matter how high I set > > The security policy is indirectly logged when certificate matching > (fingerprint, verify or secure) is required, since the destination > will be logged as "Verified". > > 2010-08-30T09:58:09-04:00 amnesiac postfix/smtp[8804]: > Verified TLS connection established to > cluster12.us.messagelabs.com[85.158.136.227]:25: > TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) This requires smtp_tls_loglevel >= 1, but thanks for the tip! This showed something curious: My tls_policy maps recipient domains one.com and two.com, both handled by MX a.mx.madduck.net, to "secure match=.mx.madduck.net". Now I just sent something to three.com, which is also handled by a.mx.madduck.net, but it is not listed in the tls_policy maps. Yet, the connection was Trusted: postfix/smtp[10212]: setting up TLS connection to a.mx.madduck.net[2001:470:9aad::1]:25 postfix/smtp[10212]: Trusted TLS connection established to a.mx.madduck.net[2001:470:9aad::1]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) postfix/smtp[10212]: C0ADEDD6: to=<mar...@three.com>, relay=a.mx.madduck.net[2001:470:9aad::1]:25, delay=8.6, delays=0.09/0/0.52/8, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as ED507427513) Why did this happen? With -v, it says: postfix/smtp[10676]: global TLS level: may postfix/smtp[10676]: maps_find: smtp_tls_policy_maps: three.com: not found postfix/smtp[10676]: maps_find: smtp_tls_policy_maps: .com: not found postfix/smtp[10676]: effective TLS level: may […] postfix/smtp[10676]: send attr cache_id = smtp:2001:470:9aad::1:25:seamus.madduck.net&p=1&c=ALL:+RC4:@STRENGTH Has it cached the session? Is this what $smtp_tls_session_cache_database is about? > > Is it possible to configure postfix to log when it applies > > a security policy? > > The policy can be rather long, perhaps you just want to log the > resulting security level, or do you want the nexthop lookup key? > It may be possible to tweak the above log entry, to include the > desired security level... I'd love a statement like "selected `secure' security level and verified match=.mx.madduck.net because of nexthop mapping madduck.net" or the like. > > Is it possible to have postfix add this information to the > > received header? Would this be something worthwhile? > > Received headers are a feature of the Postfix SMTP server, that > receives mail *from* remote destinations, so clearly the answer > is: NO. Of course, that is what "received" implies. Maybe Postfix could thus add a different header? Or is adding headers by the SMTP client a no-go? -- martin | http://madduck.net/ | http://two.sentenc.es/ "the unexamined life is not worth living" -- platon spamtraps: madduck.bo...@madduck.net
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
