On Mon, Oct 18, 2010 at 02:24:06PM -0700, Yang Zhang wrote:
> According to the docs [1, 2], "smtp_tls_note_starttls_offer=yes"
> should log when a server offers STARTTLS.
Yes, when TLS is offered, but not used, because you have not enabled
opportunistic TLS, or when an opportunistic handshake fails and is
re-tried in plaintext.
/*
* Optionally log unused STARTTLS opportunities.
*/
if ((session->features & SMTP_FEATURE_STARTTLS) &&
var_smtp_tls_note_starttls_offer &&
session->tls_level <= TLS_LEV_NONE)
msg_info("Host offered STARTTLS: [%s]", session->host);
If you have "smtp_tls_security_level = may" or stronger, this
configuration parameter is not terribly useful.
> However, I've been testing
> among my own SMTP servers, and while I can verify that TLS is being
> used (with "smtpd_tls_loglevel=1" on the smtpd side), I can't tell
> what TLS capabilities the smtp (client) is seeing. I'm using Postfix
> 2.7.0.
Don't know what TLS capabilities you have in mind, but "note_tls_offer"
feature is a binary switch to log a missed opportunity to use "STARTTLS",
nothing more.
--
Viktor.
