On Mon, Aug 30, 2010 at 09:42:29PM +0200, martin f krafft wrote:
> also sprach Victor Duchovni <victor.ducho...@morganstanley.com>
> [2010.08.30.1604 +0200]:
> > > Due to some issues we've been having[0], I would like to have a more
> > > permanent means of confirmation that everything is in order.
> > > Specifically, I would like to see in the logs when a security policy
> > > was matched and applied. No matter how high I set
> >
> > The security policy is indirectly logged when certificate matching
> > (fingerprint, verify or secure) is required, since the destination
> > will be logged as "Verified".
> >
> > 2010-08-30T09:58:09-04:00 amnesiac postfix/smtp[8804]:
> > Verified TLS connection established to
> > cluster12.us.messagelabs.com[85.158.136.227]:25:
> > TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
>
> This requires smtp_tls_loglevel >= 1, but thanks for the tip!
>
> This showed something curious:
>
> My tls_policy maps recipient domains one.com and two.com, both handled by MX
> a.mx.madduck.net, to "secure match=.mx.madduck.net".
>
> Now I just sent something to three.com, which is also handled by
> a.mx.madduck.net, but it is not listed in the tls_policy maps. Yet,
> the connection was Trusted:
Exactly as promised. Trusted != Verified. Trusted just means that
the peer certificate signature is valid, but no actual validation
of the peername took place.
--
Viktor.
