Ralf Hauser:
> Hi Wietse,
>
> Thanks for the quick response.
> Just tried it: smtp_tls_loglevel = 1 tells me the cipher used, but not
> really anything on the certificate (fingerprint/digest or serial-#/issuer
> not visible)
The information is available with posttls-finger, "openssl s_client", etc.
You can also capture it with a network sniffer that understands
TLS, because the information must be sent before the session
can be encrypted.
> - basically duplicates the TLS handshake load on the sending server
Why? Server certificates don't change hundreds of times per day.
> Would it be hard to have the *real certificate* used written into mysql or
> alike?
Postfix can write many database types, but the Postfix MySQL client
is currently not one of them. There is only an incomplete patch for
MySQL write support.
> Would that be a big patch to the postfix sources?
Asking is easy, but I cannot spend the rest of today on an analysis
of how to export Postfix TLS session information in a manner that
is useful for more than just your write-only store.
Wietse
