Hi Wietse,
Thanks for the quick response.
Just tried it: smtp_tls_loglevel = 1 tells me the cipher used, but not
really anything on the certificate (fingerprint/digest or serial-#/issuer
not visible)
Even smtp_tls_loglevel = 4 doesn't show that in an obvious way :(
What did you have in mind with "can be extracted from mail delivery logfile
records" ?
Also, doing "openssl s_client" or alike after the transmission
- has the risk that an attacker (e.g. MITM) would not show the same
certificate anymore and
- basically duplicates the TLS handshake load on the sending server
Would it be hard to have the *real certificate* used written into mysql or
alike?
Would that be a big patch to the postfix sources?
Ralf
> -----Original Message-----
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Wietse Venema
> Sent: Sonntag, 16. März 2014 17:11
> To: Postfix users
> Subject: Re: Statistics on TLS certificates used when sending with
> opportunistic TLS
>
> Ralf Hauser:
> > Hi,
> >
> > Fortunately, more and more smtp servers offer STARTTLS.
> > I would like to analyze the certificates used when employing STARTTLS
> > "opportunistically".
> >
> > Is there a way to have postfix e.g. insert into a mysql table for
> > every message sent over TLS the following record:
> > 1) recipient domain name
> > 2) hostname (of MTA as per MX record)
> > 3) host-ip
> > 4) certiciate(-chain) used (e.g. in PEM format)
>
> Most of this information can be extracted from existing mail delivery
logfile
> records. You can get the certificate chain with "posttls-finger",
"openssl
> s_client" and equivalents.
>
> Wietse
