On Fri, Jul 31, 2020 at 02:16:54PM -0400, Wietse Venema wrote:
> Logged as conn_use=xxx. By default, reuse happens only for plaintext
> connections.
>
> > > smtp_tls_connection_reuse=yes
>
> Logged as TLS handshake results plus conn_use=xxx.
One thing we could likely improve in TLS connection reuse logging is
logging of an appropriate client session identifier in tlsproxy(8) TLS
log entries:
Jul 21 01:16:57 amnesiac postfix/tlsproxy[64244]:
Verified TLS connection established
to amnesiac.example[192.0.2.1]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
It is presently difficult to correlate logging in tlsproxy(8) with
a particular smtp(8) client's delivery attempts.
We should perhaps have a field in the TLS_SESS_STATE (TLScontext
variable) that represents a client id for proxy connections, allowing
tools like "collate" to grooup relevant logging by tlsproxy(8) with the
other logging relevant to a given delivery.
One possibility would be:
Jul 21 01:16:57 amnesiac postfix/tlsproxy[64244]:
--> QUEUE-ID: smtp[PID]:
Verified TLS connection established
to amnesiac.example[192.0.2.1]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
So that we identify both the message, but the associated delivery agent
process. We might then also include the queue-id (but not repeat the
process id) for other TLS library log messages (warnings and perhaps
debug messages at log levels != 1).
--
Viktor.
