> On Nov 20, 2018, at 7:53 AM, J. Thomsen <l...@jth.net> wrote:
>
> From the log it should be obvious
>
> 1) does Postfix lookup the TLSA record
Always does, with "smtp_tls_security_level = dane"
> 2) did Postfix receive the TLSA record and which ones
Domains that have TLSA records will be "Verified" or the delivery
will fail with a certificate authentication failure. Other domains
will be logged as "Anonymous" or "Untrusted". So the presence of
TLSA records is implicit in the connection security status. The
actual TLSA records should not IMHO be logged on a routine basis.
> 3) does Postfix use the TLSA record and which one
Probably not useful on a routine basis.
> 4) is the TLSA record valid and how is Postfix using it
Probably not useful on a routine basis. As for "how",
the answer is per RFC7672.
>> I think that 5 log messages where one was looks reasonably sufficient
>> to me are probably too much.
>
> Well, yes, it was just a suggestion for an easy copy-paste from
> posttls-finger to the smtp client :)
I am looking for "correct", not "easy".
>>> When implementing DANE it is helpful to increase the value of
>>> smtp_tls_loglevel to at least X.
>>
>> I've always found level 1 to be sufficient for routine logging.
>
> As always a more detailed level (pt 1-3) is needed during the implementation
> or error diagnosis and
> a less detailed level (pt. 4) during production.
So are you asking to change the routine logging, or just more
options for verbose logging when doing trouble-shoots and testing?
--
Viktor.
