Hello Wietse,
as promised, I like to reply to this question ...
Viktor Dukhovni:
For an SMTP client per-record log entry I'd suggest a very condensed
format:
smtp[pid]:
QUEUE-ID:
to=<rcpt>,
[orig_to=<orig_rcpt>,]
[security=none|passive|active,]
in which "passive" protects against passive attacks and consolidates
Anonymous, Untrusted and Trusted, while "active" protects against
MITM attacks and handles "Verified" connections (success at security
level "fingerprint", "verify", "secure" or "dane").
This suggestion makes sense
People just want to know the overall channel security status.
yes, I mostly like to distinguish plain vs. TLS
The "security" element can either be always present,
with "none" to signal non-TLS delivery, or simply absent to signal the same.
As admins have to adjust logfile parser anyway, I would prefer version #1
Andreas
