Loading ...
Sorry, an error occurred while loading the content.
 

Logging in- and outgoing TLS

Expand Messages
  • Sig Pam
    Hi everybody! I need a push in the right direction. I want to record the usage and not-usage of TLS on in- and outbound SMTP Sessions. I succeeded on incoming
    Message 1 of 5 , Aug 19, 2013
      Hi everybody!

      I need a push in the right direction.

      I want to record the usage and not-usage of TLS on in- and outbound SMTP
      Sessions. I succeeded on incoming messages, but failed for outgoing.

      For inbound mails, I have the following lines in master.cf:

      smtp inet n - - - - smtpd
      -o content_filter=dfilt:
      -o content_filter=analyze:dummy
      [...]
      analyze unix - n n - 10 pipe
      flags=Rq user=filter null_sender=
      argv=/etc/postfix/before_filter -f ${sender} -- ${recipient}

      In conjuction with the main.cf settings

      smtpd_tls_received_header = yes

      To screen for an TLS Header using the before_filter.


      But this only works for inbound messages (because the script is executed
      AFTER it is received, not AFTER it has been sent.)


      How can I detect if an OUTGOING has been sent using TLS?

      I also thought about setting the smtp[d]_tls_loglevel variable and parsing
      the mail log file, but I have serious trouble to bring the correct log lines
      in context (qmgr logs "from=", smtp logs "to=" and TLS negotiation).

      Thank you very much,

      Sig
    • Viktor Dukhovni
      ... The correct solution is to parse the logs. A log parser can re-assemble the full state of a mail transaction. I ve posted a Perl parser along those lines
      Message 2 of 5 , Aug 19, 2013
        On Mon, Aug 19, 2013 at 02:01:41PM +0200, Sig Pam wrote:

        > I want to record the usage and not-usage of TLS on in- and outbound SMTP
        > Sessions. I succeeded on incoming messages, but failed for outgoing.

        The correct solution is to parse the logs. A log parser can
        re-assemble the full state of a mail transaction. I've posted a
        Perl parser along those lines some time within the last year or so
        IIRC.

        > smtp inet n - - - - smtpd
        > -o content_filter=dfilt:
        > -o content_filter=analyze:dummy
        > [...]
        > analyze unix - n n - 10 pipe
        > flags=Rq user=filter null_sender=
        > argv=/etc/postfix/before_filter -f ${sender} -- ${recipient}
        >
        > In conjuction with the main.cf settings
        >
        > smtpd_tls_received_header = yes

        This is hugely inefficient.

        You can use smtp_tls_policy_maps to unconditionally require TLS
        for some destinations.

        --
        Viktor.
      • Sig Pam
        Thank you, Victor. I already found the script, so I ll look at this. Sig. ... Von: owner-postfix-users@postfix.org [mailto:owner-postfix-users@postfix.org] Im
        Message 3 of 5 , Aug 19, 2013
          Thank you, Victor.

          I already found the script, so I'll look at this.

          Sig.

          -----Urspr√ľngliche Nachricht-----
          Von: owner-postfix-users@...
          [mailto:owner-postfix-users@...] Im Auftrag von Viktor Dukhovni

          On Mon, Aug 19, 2013 at 02:01:41PM +0200, Sig Pam wrote:

          > I want to record the usage and not-usage of TLS on in- and outbound SMTP
          > Sessions. I succeeded on incoming messages, but failed for outgoing.

          The correct solution is to parse the logs. A log parser can
          re-assemble the full state of a mail transaction. I've posted a
          Perl parser along those lines some time within the last year or so
          IIRC.
        • Viktor Dukhovni
          ... http://www.mail-archive.com/postfix-devel@postfix.org/msg00292.html I forgot I posted it to postfix-devel, not postfix-users. The missing feature is
          Message 4 of 5 , Aug 19, 2013
            On Mon, Aug 19, 2013 at 02:29:28PM +0200, Sig Pam wrote:
            > Thank you, Victor.
            >
            > I already found the script, so I'll look at this.

            http://www.mail-archive.com/postfix-devel@.../msg00292.html

            I forgot I posted it to postfix-devel, not postfix-users. The
            missing feature is saving state across log file boundaries read in
            separate invocations of the analyzer. This is not difficult, but
            I've not had a chance to add it.

            --
            Viktor.
          • Sig Pam
            Again, thanks. I ll see through the code. Cheers, Sig. ... Von: owner-postfix-users@postfix.org [mailto:owner-postfix-users@postfix.org] Im Auftrag von Viktor
            Message 5 of 5 , Aug 19, 2013
              Again, thanks. I'll see through the code.

              Cheers,

              Sig.

              -----Urspr√ľngliche Nachricht-----
              Von: owner-postfix-users@...
              [mailto:owner-postfix-users@...] Im Auftrag von Viktor Dukhovni
              Gesendet: Montag, 19. August 2013 14:36
              An: postfix-users@...
              Betreff: Re: Logging in- and outgoing TLS

              On Mon, Aug 19, 2013 at 02:29:28PM +0200, Sig Pam wrote:
              > Thank you, Victor.
              >
              > I already found the script, so I'll look at this.

              http://www.mail-archive.com/postfix-devel@.../msg00292.html

              I forgot I posted it to postfix-devel, not postfix-users. The
              missing feature is saving state across log file boundaries read in
              separate invocations of the analyzer. This is not difficult, but
              I've not had a chance to add it.

              --
              Viktor.
            Your message has been successfully submitted and would be delivered to recipients shortly.