[pfx] Re: new TLS loging support

[Wietse Venema via Postfix-users]

Jim Seymour via Postfix-users:
> On Fri, 30 Jan 2026 17:45:38 -0500 (EST)
> Wietse Venema via Postfix-users <postfix-users@postfix.org> wrote:
> 
> [snip]
> > 
> > Never at the end. Each field is either what Postfix wanted (no
> > colon), or what-it-wanted:what-it-got (one colon).
> > 
> > ...tls=none, ... (want: plaintext, got: plaintext)
> > 
> > ..., tls=may, ... (want: opportunistic TLS, got: opportunistic TLS)
> > 
> > ..., tls=may:none, ... (want: opportunistic TLS, got: plaintext)
> > 
> > ..., tls=blah/foo:bar, ... (want: foo, got: bar)
> [snip]
> 
> So might these fields more accurately be described as "requested" and
> "achieved" (or "negotiated") rather than "level" and "policies"?
> 
> Either way: The fact that levels can appear alone makes things a bit
> tricky for me in pflogsumm's logic, but there's an easy fix: Fake it.
> When no policies appear, treat the level itself as policy. Thus a
> report might look like:
> 
>     SMTPD TLS Stats
>     ---------------
>       may (612)
>            612   may 
>       dane (149)
>            149   dane
>       encrypt (19)
>             19   encrypt
>       dane? (19)
>              2   dane?
> 
> using Viktor's numbers for illustration. Or I could...
> 
>     SMTPD TLS Stats
>     ---------------
>       may (612)
>            612   as-requested
>       dane (149)
>            149   as-requested
>       encrypt (19)
>             19   as-requested
>       dane? (19)
>              2   as-requested
> 
> Where "as-requested" means "the requested TLS security level was
> achieved and no additional policy-feature status was logged," which
> might make that more visible?
> 
> Thoughts?

I would just 

    payload = skip("tls=blah/blah...", 4)

    features[] =split(payload, "/")

and count the nummer of instancs of each feature complete with
decorations, with a translation into human text.

        may (count, opportunistic TLS)

        may:none (count, opportunistic TLS, fall back to plaintext)

        may? (count, opportunistic TLS, connection failed)

        dane? (count, opportunistic dane, connection failed)

        dane:may (number, opportunistic dane, fallback to opportunistic TLS)

        !dane-only (number, DANE required, policy violation)

        encrypt (number, TLS required)

        !encrypt:none (number, TLS required, TLS unavailabl, policy violation)

Coming up with the human translation is real work, feel free to
reach out to me (and Viktor) to clear up any confusion.

        Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org