Ralf Hauser:
> Hi,
>
> Fortunately, more and more smtp servers offer STARTTLS.
> I would like to analyze the certificates used when employing STARTTLS
> "opportunistically".
>
> Is there a way to have postfix e.g. insert into a mysql table for every
> message sent over TLS the following record:
> 1) recipient domain name
> 2) hostname (of MTA as per MX record)
> 3) host-ip
> 4) certiciate(-chain) used (e.g. in PEM format)
Most of this information can be extracted from existing
mail delivery logfile records. You can get the certificate chain
with "posttls-finger", "openssl s_client" and equivalents.
Wietse
> For efficiency reasons, it would be ok, that after the first insert of a
> certifcate only a unique identifier (that would be provided by postfix as
> field 5) would be given (besides a unique id given by postfix, it could also
> be a sha256 digest of the leaf certificate).
>
> Any hints would be appreciated!
>
> Ralf
>
>
