On Mon, Nov 19, 2018 at 11:45:18PM +0100, J. Thomsen wrote:
> >> 1) Postfix
> >> Later I have found the posttls-finger program in the Postfix
> >> distribution, but
> >> the logging in this program should be present in the Postfix smtp itself
> >> when using the
> >> smtp_tls_loglevel parameter (and still improvements in the documentation
> >> are needed)
> >
> >Do you have a specific suggestion of what you'd like to see logged,
> >and a specific log message format? Would this be additional log
> >entries per connection, or more information in the summary TLS
> >connection log entry?
>
> I think it would be a large improvement, if just the basic logging of
> posttls-finger -c could be added. Then increasing the smtp_tls_loglevel
> would make things clearer.
That's not terribly specific, what specifically in those logs do
you find compelling and why?
posttls-finger: using DANE RR: _25._tcp.smtp.dukhovni.org
IN TLSA 3 1 1
5E:07:8B:31:60:56:9F:16:5A:69:EB:86:03:95:BB:BD:C7:57:6C:36:03:C3:45:2B:07:13:9C:27:6B:26:D0:1C
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25:
depth=0 matched end entity public-key sha256
digest=5E:07:8B:31:60:56:9F:16:5A:69:EB:86:03:95:BB:BD:C7:57:6C:36:03:C3:45:2B:07:13:9C:27:6B:26:D0:1C
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25
CommonName mournblade.imrryr.org
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25:
subject_CN=mournblade.imrryr.org,
issuer_CN=mournblade.imrryr.org,
fingerprint=D0:29:E8:0C:9D:20:08:F5:47:D8:A8:3A:62:D9:52:A4:E4:8F:A1:64:3E:BD:1E:5E:C6:A3:4C:1E:EB:DB:BB:43,
pkey_fingerprint=5E:07:8B:31:60:56:9F:16:5A:69:EB:86:03:95:BB:BD:C7:57:6C:36:03:C3:45:2B:07:13:9C:27:6B:26:D0:1C
posttls-finger: Verified TLS connection established to
smtp.dukhovni.org[100.2.39.101]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
I think that 5 log messages where one was looks reasonably sufficient
to me are probably too much.
> When implementing DANE it is helpful to increase the value of
> smtp_tls_loglevel to at least X.
I've always found level 1 to be sufficient for routine logging.
> Also using posttls-finger included with the source code of Postfix can be
> recommended.
Various Linux distributions, and FreeBSD do include posttls-finger.
> Postfix is logging various messages at the end of the TLS negotiation:
>
> Anonymous TLS connection ..
> This is logged, when ...
>
> Untrusted TLS connection ...
> This is logged, when ....
>
> Trusted TLS connection ....
> This is logged, when ....
>
> Verified TLS connection ...
> This is logged, when ....
This is covered in FORWARD_SECRECY_README, as mentioned previously.
> It also makes it possible to handle the key rollover as you suggest, but here
> it should also be
> noted, that the "3 1 1" format allows a certificate to be renewed without
> changing the TLSA record,
> as long as the private key is not changed (RFC 6698 A.1.2.2)
https://tools.ietf.org/html/rfc7671#section-5.1
https://tools.ietf.org/html/rfc7671#section-8.1
https://imrryr.org/~viktor/ICANN61-viktor.pdf
--
Viktor.
