On Fri, Aug 21, 2009 at 12:35:38PM -0400, Wietse Venema wrote:
> I looked up TLS_README, and it would not hurt to have a short
> sentence here and there to define terminology.
Will the following do?
Index: proto/TLS_README.html
--- proto/TLS_README.html 28 Apr 2009 21:44:30 -0000 1.1.1.2
+++ proto/TLS_README.html 21 Aug 2009 17:28:25 -0000
@@ -425,10 +425,40 @@
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtpd_tls_loglevel = 0
+ smtpd_tls_loglevel = 1
</pre>
</blockquote>
+<p> With log levels 1 and higher, the TLS handshake status is logged
+as follows (example using syslog-ng with ISO date timestamps): </p>
+
+<blockquote>
+<pre>
+2009-08-21T12:00:00-0400 amnesiac postfix/smtpd[30440]: Anonymous TLS
connection established from smtpout.example.com[192.0.2.1]: TLSv1 with cipher
RC4-SHA (128/128 bits)
+</pre>
+</blockquote>
+
+<p> Here, "Anonymous" means that the remote SMTP client did not present
+a certificate to "prove" its identity, which is the usual case, since by
+default the Postfix SMTP server does not ask for a client certificate, and
+so none is sent even if the SMTP client is configured with a certificate
+(many are not). </p>
+
+<p> Do not confuse "Anonymous" clients (as above) with anonymous TLS
+ciphers. With anonymous TLS ciphers, neither the server nor the client
+use certificates. Such ciphers have "ADH" (Anonymous Diffie-Hellman)
+or "AECDH" (Anonymous Elliptic Curve Diffie-Hellman) in their name,
+and in this case the Postfix SMTP <b>client</b> records the remote SMTP
+server as "Anonymous". </p>
+
+<p> When the Postfix SMTP server asks for a client certificate and
+the remote SMTP client presents one, "Anonymous" will be replaced by
+"Trusted" if the client certificate trust chain is valid and certificate
+is not expired, or "Untrusted" otherwise. Client certificates are never
+"Verified", as the Postfix SMTP server does not expect any particular
+client identity that it can verify. Postfix uses client certificates
+only for access control, not identity verification. </p>
+
<p> To include information about the protocol and cipher used as
well as the client and issuer CommonName into the "Received:"
message header, set the smtpd_tls_received_header variable to true.
@@ -1102,10 +1132,39 @@
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtp_tls_loglevel = 0
+ smtp_tls_loglevel = 1
</pre>
</blockquote>
+<p> With log levels 1 and higher, the TLS handshake status is logged
+as follows (example using syslog-ng with ISO date timestamps): </p>
+
+<blockquote>
+<pre>
+2009-08-21T00:00:06-0400 amnesiac postfix/smtp[3592]: Untrusted TLS connection
established to smtpin.example.com[192.0.2.1]:25: TLSv1 with cipher RC4-MD5
(128/128 bits)
+</pre>
+</blockquote>
+
+<p> Here, "Untrusted" means that the remote SMTP server certificate is
+not signed by a trusted root CA, or is expired, or required intermediate
+certificates are not sent by the remote SMTP server, or some other issue
+makes it impossible to determine the server identity. This is the normal
+case with a self-signed remote server certificate. </p>
+
+<p> When the Postfix SMTP client is not configured to verify the
+server certificate (smtp_tls_security_level = "may" or "encrypt") some
+connections will use anonymous TLS ciphers, where the server does not
+present any certificate. In this case, "Untrusted" will be replaced by
+"Anonymous". </p>
+
+<p> When the remote SMTP server certificate is signed by a trusted root
+CA and is not expired, the connection will be logged as "Trusted" or
+"Verified". The latter means that the client is configured to verify the
+server's identity (smtp_tls_security_level = "fingerprint", "verify" or
+"secure") and the certificate matched the configured criteria. If the
+Postfix SMTP client is not verifying the server identity, the connection
+is logged as "Trusted". </p>
+
<h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
<p> The remote SMTP server and the Postfix SMTP client negotiate a
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
