Package: logcheck-database
Version: 1.3.20
Severity: normal
File: /etc/logcheck/ignore.d.server/postfix
Dear Maintainer,
There is following rule in ignore.d.server/postfix.
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]:
((Anonymous|Trusted|Verified) )?TLS connection established (to|from)
[^[:space:]]+: (TLSv1(\.[[:digit:]])?|SSLv[23]) with cipher [^[:space:]]+
\([/[:digit:]]+ bits\)$
This rule is for log message written when TLS connection is established.
But when TLS 1.3 is used log message is written as following.
Mar 22 03:02:05 mailclient postfix/smtp[12345]: Trusted TLS connection
established to mailserver.example.org[192.168.0.1]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
RSA-PSS (4096 bits) server-digest SHA256
And it doesn't match with above rule.
I checked definition of tls_log_summary()(function that write this
message) in src/tls/tls_misc.c of Postfix 3.4.4.
According to it the rule should be updated as following.
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]:
((Anonymous|Trusted|Untrusted|Verified) )?TLS connection (established|reused)
(to|from) [^[:space:]]+( to [^[:space:]]+)?: (TLSv1(\.[[:digit:]])?|SSLv[23])
with cipher [^[:space:]]+ \([[:digit:]]+/[[:digit:]]+ bits\)( key-exchange
[^[:space:]]+( \(([^[:space:]]+|[[:digit:]]+ bits)\))?)?( server-signature
[^[:space:]]+( \(([^[:space:]]+|[[:digit:]]+ bits)\))?( server-digest
[^[:space:]]+)?)?( client-signature [^[:space:]]+(\(([^[:space:]]+|[[:digit:]]+
bits)\))?( client-digest [^[:space:]]+)?)?$
Best Regards.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CRAP
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-- no debconf information
