Hi, I would like to parse my mail logs each month and report on the number of messages which were encrypted during transmission (TLS) and the number which were sent/received in the clear (along with domains of course).
I can see Martin Schmitt proposing a logging enhancement which would fit this need: http://readlist.com/lists/postfix.org/postfix-users/17/88710.html but Viktor suggests that we need configurable logging first. How do other folks solve this problem? I can see how, for TLS connections, I could chain together PID and message ID to persuade myself that a particular transmission was TLS protected. Feb 8 00:06:58 foo postfix/smtpd[16992]: connect from mr.company.com [10.1.2.3] Feb 8 00:06:58 foo postfix/smtpd[16992]: setting up TLS connection from mr.company.com [10.1.2.3] Feb 8 00:06:58 foo postfix/smtpd[16992]: Anonymous TLS connection established from mr.company.com[10.1.2.3]: TLSv1 with cipher ADH- AES256-SHA (256/256 bits) Feb 8 00:06:58 foo postfix/smtpd[16992]: C5A9B257E66: client=mr.company.com[10.1.2.3] Feb 8 00:06:58 foo postfix/qmgr[16888]: C5A9B257E66: from=<j...@company.com>, size=4377, nrcpt=1 (queue active) Feb 8 00:06:58 foo postfix/smtpd[16992]: disconnect from mr.company.com[10.1.2.3] Feb 8 00:06:59 foo postfix/qmgr[16888]: 085E1257FEF: from=<j...@company.com>, size=4696, nrcpt=1 (queue active) Feb 8 00:06:59 foo postfix/qmgr[16888]: 1EC0E257E66: from=<j...@company.com>, size=4826, nrcpt=1 (queue active) I can see taking the same approach for unencrypted mail ... follow the PID / message id chain and at the end notice that there was no mention of TLS, therefore identifying this transmission as unencrypted. Feb 13 14:02:27 foo postfix/smtpd[2648]: connect from nm2.bullet.mail.ne1.yahoo.com[98.138.90.65] Feb 13 14:02:27 foo postfix/smtpd[2648]: D1D7A257EAD: client=nm2.bullet.mail.ne1.yahoo.com[98.138.90.65] Feb 13 14:02:28 foo postfix/cleanup[3334]: D1D7A257EAD: message- id=<623141.56076...@web111901.mail.gq1.yahoo.com> Feb 13 14:02:28 foo postfix/qmgr[2632]: D1D7A257EAD: from=<j...@company.com>, size=2716, nrcpt=1 (queue active) Feb 13 14:02:28 foo postfix/smtpd[2648]: disconnect from nm2.bullet.mail.ne1.yahoo.com[98.138.90.65] Feb 13 14:02:28 foo postfix/cleanup[3333]: 20818257EB1: message- id=<623141.56076...@web111901.mail.gq1.yahoo.com> Feb 13 14:02:28 foo postfix/qmgr[2632]: 20818257EB1: from=<j...@company.com>, size=3039, nrcpt=1 (queue active) Feb 13 14:02:28 foo postfix/smtp[3341]: D1D7A257EAD: to=<bsm...@here.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.44, delays=0.23/0.03/0/0.18, dsn=2.0.0, status=sent (250 OK, sent 4D5854F4_32299_18209_1 20818257EB1) Feb 13 14:02:28 foo postfix/cleanup[3333]: 3B998257EAD: message- id=<623141.56076...@web111901.mail.gq1.yahoo.com> But I don't see how to handle unencrypted outbound mail. I suppose I could infer clear text from the /lack/ of any preceding TLS messages, but that requires maintaining more state as I crawl through the log ... and I don't find absence to be particularly reassuring, in any case. Feb 13 10:31:38 foo postfix/smtp[27248]: 53DEE257EB0: to=<j...@company.com>, relay=mailin-04.mx.aol.com[205.188.146.194]:25, delay=1.8, delays=0.06/0.02/0 .78/0.97, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D910338000253) Anyway, how do other folks solve this problem? --sk Stuart Kendrick FHCRC audit report verify validate TLS clear text encrypted unencrypted postfix
