On Mon, Apr 06, 2020 at 08:21:32AM +0100, Dominic Raferd wrote:
> Using setting 'smtp_tls_security_level = may' (postfix 3.3.0) is there
> a reliable way to see from log which outgoing emails were sent in the
> clear i.e. *not* using TLS?
Yes, provided you don't lose too many log messages[1], and your logging
subsystem does not reorder them[1], set:
smtp_tls_loglevel = 1
and use "collate":
https://github.com/vdukhovni/postfix/tree/master/postfix/auxiliary/collate
whose output you'd send to the attached Perl script. On my system for
example:
# bzip2 -dcf $(ls -tr /var/log/maillog*) | perl collate | perl tlstype.pl
--
Viktor.
[1] If your system is suffering under the yoke of systemd-journald, you
should strongly consider enabling the built-in logging in recent
versions of Postfix to bypass systemd's broken logging subsystem.
- It is single-threaded, performs poorly on multi-cpu servers and
may not be able to keep up with all the messages generated on a
busy multi-cpu system.
- By default has low message rate limits, dropping messages
that exceed the limits.
- Listens on stream socket rather than a dgram socket, which
breaks message ordering from multi-process systems like
Postfix.
#! /usr/bin/env perl
use strict;
use warnings;
local $/ = "\n\n";
while (<>) {
my $qid;
my %tls;
my $smtp;
foreach my $line (split("\n")) {
if ($line =~ m{ postfix(?:\S*?)/qmgr\[\d+\]: (\w+): from=<.*>, size=\d+, nrcpt=\d+ [(]queue active[)]$}) {
$qid //= $1;
next;
}
if ($line =~ m{ postfix(?:\S*?)/smtp\[(\d+)\]: (\S+) TLS connection established to (\S+): (.*)}) {
$tls{$1}->{$3} = [$2, $4];
next;
}
if ($line =~ m{.*? postfix(?:\S*?)/smtp\[(\d+)\]: (\w+): (to=.*), relay=(\S+), (delay=\S+, delays=\S+, dsn=2\.\S+, status=sent .*)}) {
next unless $qid eq $2;
if (defined($tls{$1}->{$4}) && ($tls{$1}->{$4}->[2] //= $5) eq $5) {
printf "qid=%s, relay=%s, %s -> %s %s\n", $qid, $4, $3, @{$tls{$1}->{$4}}[0..1];
} else {
delete $tls{$1};
printf "qid=%s, relay=%s, %s -> cleartext\n", $qid, $4, $3;
}
}
}
}
