Raj, I'm taking some time during the end-of-year break to work
on your documentation etc. fixes.
First I did a global analysis of of tlsproxy parameter names, both
the client and server side, how they differ from the corresponding
smtpd_ or smtp_ parameter names.
This revealed one more parameter name inconsistency.
For tlsproxy client-side parameter settings,
postconf -d | grep 'tlsproxy.*smtp_'
The vast majority of results look like:
tlsproxy_client_mumble = $smtp_tls_mumble
We find the outliers with:
postconf -d | grep 'tlsproxy.*smtp_' |
sed 's/smtp_tls_/tlsproxy_client_/' |
tr -cs 'a-zA-Z0-9_' '\12' | uniq -c | grep -v ' 2 '
The outliers with non-legacy parameter names are:
tlsproxy_client_level = $smtp_tls_security_level
tlsproxy_client_policy = $smtp_tls_policy_maps
These should be renamed to:
tlsproxy_client_security_level = $smtp_tls_security_level
tlsproxy_client_policy_maps = $smtp_tls_policy_maps
There are two legacy prameters that don't match the common scheme:
tlsproxy_client_enforce_tls = $smtp_enforce_tls
tlsproxy_client_use_tls = $smtp_use_tls
but I'd prefer not to change those names.
For the tlsproxy server-side parameter names,
postconf -d | grep 'tlsproxy.*smtpd_'
All non-legacy parameter outputs look like the following:
tlsproxy_tls_mumble = $smtpd_tls_mumble
According to
postconf -d | grep 'tlsproxy.*smtpd_' |
sed 's/smtpd_tls_/tlsproxy_tls_/' |
tr -cs 'a-zA-Z0-9_' '\12' | uniq -c | grep -v ' 2 '
there are no outliers in tlsproxy server-side parameter names,
except for two legacy parameters which I would not change.
tlsproxy_enforce_tls = $smtpd_enforce_tls
tlsproxy_use_tls = $smtpd_use_tls
Wietse
raf:
> Hi,
>
> I think there's a parameter name that is rightish/better
> in the documentation but wrong/worse in the code.
>
> $ postconf -d | grep security_level
> lmtp_tls_security_level =
> postscreen_tls_security_level = $smtpd_tls_security_level
> smtp_tls_security_level =
> smtpd_tls_security_level =
> tlsproxy_client_level = $smtp_tls_security_level
> tlsproxy_tls_security_level = $smtpd_tls_security_level
>
> But http://www.postfix.org/postconf.5.html does not mention
> tlsproxy_client_level. However, it does have an entry for
> tlsproxy_client_security_level, which doesn't appear in
> the above postconf output (and it's a better name, but could
> be better still - see below).
>
> This postconf is from postfix-3.5.6, and things might have changed
> since then, but the local postconf(5) manpage and the online
> postconf.5.html (3.7) both agree on this.
>
> tlsproxy_client_security_level (default: $smtp_tls_security_level)
> The default TLS security level for the Postfix tlsproxy(8) client.
> See smtp_tls_security_level for further details.
> This feature is available in Postfix 3.4 and later.
>
> I guess technically, the code is right by definition,
> and the manual is wrong, but I'd prefer to think it's
> the other way around, and the name in the code can be
> changed, and the manual updated to reflect the
> existence of both forms and what Postfix version range
> they exist in.
>
> Although, a more consistent name would be
> tlsproxy_client_tls_security_level, so if the name were
> to be changed in the code, perhaps it could be changed
> to that instead.
>
> cheers,
> raf
