On Fri, Jul 31, 2020 at 02:16:54PM -0400, Wietse Venema wrote: > Logged as conn_use=xxx. By default, reuse happens only for plaintext > connections. > > > > smtp_tls_connection_reuse=yes > > Logged as TLS handshake results plus conn_use=xxx.
One thing we could likely improve in TLS connection reuse logging is logging of an appropriate client session identifier in tlsproxy(8) TLS log entries: Jul 21 01:16:57 amnesiac postfix/tlsproxy[64244]: Verified TLS connection established to amnesiac.example[192.0.2.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 It is presently difficult to correlate logging in tlsproxy(8) with a particular smtp(8) client's delivery attempts. We should perhaps have a field in the TLS_SESS_STATE (TLScontext variable) that represents a client id for proxy connections, allowing tools like "collate" to grooup relevant logging by tlsproxy(8) with the other logging relevant to a given delivery. One possibility would be: Jul 21 01:16:57 amnesiac postfix/tlsproxy[64244]: --> QUEUE-ID: smtp[PID]: Verified TLS connection established to amnesiac.example[192.0.2.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 So that we identify both the message, but the associated delivery agent process. We might then also include the queue-id (but not repeat the process id) for other TLS library log messages (warnings and perhaps debug messages at log levels != 1). -- Viktor.