Re: Connection Caching Per-Destination

Fri, 31 Jul 2020 12:17:15 -0700 

Viktor Dukhovni:
> On Fri, Jul 31, 2020 at 02:16:54PM -0400, Wietse Venema wrote:
> 
> > Logged as conn_use=xxx. By default, reuse happens only for plaintext
> > connections.
> > 
> > > >    smtp_tls_connection_reuse=yes
> > 
> > Logged as TLS handshake results plus conn_use=xxx.
> 
> One thing we could likely improve in TLS connection reuse logging is
> logging of an appropriate client session identifier in tlsproxy(8) TLS
> log entries:
> 
>     Jul 21 01:16:57 amnesiac postfix/tlsproxy[64244]:
>         Verified TLS connection established
>         to amnesiac.example[192.0.2.1]:25:
>         TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
>         key-exchange X25519 server-signature RSA-PSS (2048 bits)
>         server-digest SHA256
> 
> It is presently difficult to correlate logging in tlsproxy(8) with
> a particular smtp(8) client's delivery attempts.
> 
> We should perhaps have a field in the TLS_SESS_STATE (TLScontext
> variable) that represents a client id for proxy connections, allowing
> tools like "collate" to grooup relevant logging by tlsproxy(8) with the
> other logging relevant to a given delivery.
> 
> One possibility would be:
> 
>     Jul 21 01:16:57 amnesiac postfix/tlsproxy[64244]:
> -->     QUEUE-ID: smtp[PID]:
>         Verified TLS connection established
>         to amnesiac.example[192.0.2.1]:25:
>         TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
>         key-exchange X25519 server-signature RSA-PSS (2048 bits)
>         server-digest SHA256
> 
> So that we identify both the message, but the associated delivery agent
> process.  We might then also include the queue-id (but not repeat the
> process id) for other TLS library log messages (warnings and perhaps
> debug messages at log levels != 1).

Logging the (long) queue ID would be safe and sufficient to
disambiguate. Logging the client PID would not be sufficient to
disambiguate.

As for debug logging from multiserver programs such as tlsproxy,
the Postfix TLS library already logs the TCP-level connection info.

On the other hand, the low-level Postfix libraries do not identify
application context in debug logging, and logging such information
would involve architectural changes.

        Wietse

Reply via email to