On Fri, Jul 31, 2020 at 02:16:54PM -0400, Wietse Venema wrote:

> Logged as conn_use=xxx. By default, reuse happens only for plaintext
> connections.
> 
> > >    smtp_tls_connection_reuse=yes
> 
> Logged as TLS handshake results plus conn_use=xxx.

One thing we could likely improve in TLS connection reuse logging is
logging of an appropriate client session identifier in tlsproxy(8) TLS
log entries:

    Jul 21 01:16:57 amnesiac postfix/tlsproxy[64244]:
        Verified TLS connection established
        to amnesiac.example[192.0.2.1]:25:
        TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
        key-exchange X25519 server-signature RSA-PSS (2048 bits)
        server-digest SHA256

It is presently difficult to correlate logging in tlsproxy(8) with
a particular smtp(8) client's delivery attempts.

We should perhaps have a field in the TLS_SESS_STATE (TLScontext
variable) that represents a client id for proxy connections, allowing
tools like "collate" to grooup relevant logging by tlsproxy(8) with the
other logging relevant to a given delivery.

One possibility would be:

    Jul 21 01:16:57 amnesiac postfix/tlsproxy[64244]:
-->     QUEUE-ID: smtp[PID]:
        Verified TLS connection established
        to amnesiac.example[192.0.2.1]:25:
        TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
        key-exchange X25519 server-signature RSA-PSS (2048 bits)
        server-digest SHA256

So that we identify both the message, but the associated delivery agent
process.  We might then also include the queue-id (but not repeat the
process id) for other TLS library log messages (warnings and perhaps
debug messages at log levels != 1).

-- 
    Viktor.

Reply via email to