Re: Statistics on TLS certificates used when sending with opportunistic TLS

Sun, 16 Mar 2014 23:35:29 -0700 

Am 16.03.2014 18:01, schrieb Ralf Hauser:
> Hi Wietse,
> 
> Thanks for the quick response.
> Just tried it:  smtp_tls_loglevel = 1 tells me the cipher used, but not
> really anything on the certificate (fingerprint/digest or serial-#/issuer
> not visible)
> Even smtp_tls_loglevel = 4 doesn't show that in an obvious way :(
> 
> What did you have in mind with "can be extracted from mail delivery logfile
> records" ?
> 
> Also, doing "openssl s_client" or alike after the transmission 
> - has the risk that an attacker (e.g. MITM) would not show the same
> certificate anymore and
> - basically duplicates the TLS handshake load on the sending server
> 
> Would it be hard to have the *real certificate* used written into mysql or
> alike?
> Would that be a big patch to the postfix sources?
> 
>      Ralf
>> -----Original Message-----
>> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
>> us...@postfix.org] On Behalf Of Wietse Venema
>> Sent: Sonntag, 16. März 2014 17:11
>> To: Postfix users
>> Subject: Re: Statistics on TLS certificates used when sending with
>> opportunistic TLS
>>
>> Ralf Hauser:
>>> Hi,
>>>
>>> Fortunately, more and more smtp servers offer STARTTLS.
>>> I would like to analyze the certificates used when employing STARTTLS
>>> "opportunistically".
>>>
>>> Is there a way to have postfix e.g. insert into a mysql table for
>>> every message sent over TLS the following record:
>>> 1) recipient domain name
>>> 2) hostname (of MTA as per MX record)
>>> 3) host-ip
>>> 4) certiciate(-chain) used (e.g. in PEM format)

hi Ralf , logwatch does stats tls summery


like

...
21      Trusted: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
        3         dgate10.ts.fujitsu.com[80.70.172.49]:25
        3         mx03.t-online.de[194.25.134.73]:25
        3         smtpin.rzone.de[81.169.145.97]:25
...


and more


>>
>> Most of this information can be extracted from existing mail delivery
> logfile
>> records.  You can get the certificate chain with "posttls-finger",
> "openssl
>> s_client" and equivalents.
>>
>>      Wietse
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Reply via email to