[pfx] Re: smtp_log_tls_feature_status

Wed, 14 Jan 2026 14:43:06 -0800 

Le 14/01/2026 à 23:23, A.Schulze via Postfix-users a écrit :

Hello,
inspecting my logs, I do not see the values, described in https://www.postfix.org/postconf.5.html#smtp_log_tls_feature_status 

1) I see the value "tls=dane-only" for connections to @postfix.org
Jan 06 20:58:38 mta postfix/smtp[10827]: 4dm26N1TFcz35x91N: to=<[email protected]>, relay=list.sys4.de[2a03:4000:20:189::195]:25, delay=2.7, delays=0.2/0.05/2.3/0.2, tls=dane-only, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4dm26W4P6HzyVX) 

2) I see the value "tls=secure" for connections to @gmail.com
Jan 13 15:52:49 mail postfix/smtp[2955]: 4drC0J2JhHz14t5: to=<****@gmail.com>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1a]:25, delay=1.2, delays=0.2/0.03/0.5/0.44, tls=secure, dsn=2.0.0, status=sent (250 2.0.0 OK  1768315969 ffacd0b85a97d-432bd62e50csi32288510f8f.498 - gsmtp) 

# postconf mail_version smtp_log_tls_feature_status smtp_tls_policy_maps
mail_version = 3.11.0-RC3
smtp_log_tls_feature_status = yes
smtp_tls_policy_maps = socketmap:unix:/path/to/postfix-tlspol:QUERYwithTLSRPT 

I'm using https://github.com/Zuplu/postfix-tlspol

# root@postfix-tlspol:/# /postfix-tlspol -query postfix.org
{
  "version": "1.8.24",
  "domain": "postfix.org",
  "dane": {
    "policy": "dane-only",
    "time": "256ms",
    "ttl": 600
  },
  "mta-sts": {
    "policy": "",
    "report": "",
    "time": "83ms",
    "ttl": 0
  }
}

# root@postfix-tlspol:/# /postfix-tlspol -query gmail.com
{
  "version": "1.8.24",
  "domain": "gmail.com",
  "dane": {
    "policy": "",
    "time": "7ms",
    "ttl": 0
  },
  "mta-sts": {
    "policy": "secure match=gmail-smtp-in.l.google.com:.gmail-smtp-in.l.google.com servername=hostname",     "report": "policy_type=sts policy_domain=gmail.com mx_host_pattern=gmail-smtp-in.l.google.com mx_host_pattern=*.gmail-smtp-in.l.google.com { policy_string = version: STSv1 } { policy_string = mode: enforce } { policy_string = mx: gmail-smtp-in.l.google.com } { policy_string = mx: *.gmail-smtp-in.l.google.com } { policy_string = max_age: 86400 }", 
    "time": "56ms",
    "ttl": 86400
  }
}
To me, it looks like the date/mta-sts policy value get logged as tls=... but this doesn't match the documentation. Can the usage of smtp_tls_policy_maps= be somehow related? 


Quoting the documentation:
"The first feature name is the TLS security level: 'none', 'may', 'encrypt', etc." 
The list is not exhautive.

"Examples for TLS security levels: "
Theses are some examples not all possble  values.

Emmanuel.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to