Re: Auditing encrypted/clear text SMTP transmission

Mon, 14 Feb 2011 08:20:58 -0800 

On Mon, Feb 14, 2011 at 08:24:14AM -0500, Wietse Venema wrote:

> In the SMTP server, this could be logged as:
> 
>     QUEUEID: client=foo.example.com, tls=whatever
> 
> That line is logged whenever the Postfix SMTP server opens a mail
> delivery transaction.

I use a log parser that "collates" all the log entries for each
message from arrival through final delivery. The TLS data is already
logged in full detail. I am not convinced that compact logging is
sufficiently detailed to be useful, and logging everything with
each per-recipient record is I think impractical.

Here's an example:

    2011-02-14T11:00:01-05:00 amnesiac postfix/smtpd[27542]:
        424AD4D0140: client=unknown[192.0.2.1]
    2011-02-14T11:00:01-05:00 amnesiac postfix/cleanup[27543]:
        424AD4D0140: message-id=<i...@example.com>
    2011-02-14T11:00:01-05:00 amnesiac postfix/qmgr[20816]:
        424AD4D0140: from=<user.n...@example.com>, size=11237, nrcpt=1
        (queue active)
    2011-02-14T11:00:01-05:00 amnesiac postfix/smtp[27107]:
        Trusted TLS connection established to
        gmail-smtp-in.l.google.com[74.125.115.27]:25:
        TLSv1 with cipher RC4-SHA (128/128 bits)
    2011-02-14T11:00:02-05:00 amnesiac postfix/smtp[27107]:
        424AD4D0140: to=<hillaryschwart...@gmail.com>,
        relay=gmail-smtp-in.l.google.com[74.125.115.27]:25,
        delay=0.88, delays=0.06/0/0.19/0.63, dsn=2.0.0, status=sent
        (250 2.0.0 OK 1297699202 gmail-tx.id)
    2011-02-14T11:00:02-05:00 amnesiac postfix/qmgr[20816]:
        424AD4D0140: removed

> In the SMTP client, this could be logged as:
> 
>     QUEUEID: to=<u...@example.com>, relay=whatever, delay=xx,
>     delays=a/b/c/d, tls=whatever, status=zz (some server response
>     text)
> 
> This is logged whenever a recipient is delivered, or not.
> 
> In either case it would be nice to have some compact indication of
> TLS cipher and authentication, if any.
> 
> Suggestions for alternative user interfaces are welcome, but it
> seems to me that having it logged with the other attributes would
> be more parser-friendly (keep in mind that one SMTP session can
> transfer multiple messages).

I like the current behaviour where the TLS data is logged once.

We could make "correlation" easier, by logging an SMTP session id in the
per-user delivery record, and logging TLS and other interesting attributes
with the same session-id. Parsers can then just match-up SMTP session ids.

This is not strictly necessary, the currentl logs contain all the
information required for a stateful parser to extract the full history
of each message.

-- 
        Viktor.

Reply via email to