[Logcheck-devel] Bug#644154: Untrusted connections for opportunistic TLS

Mon, 03 Oct 2011 04:54:23 -0700 

Package: logcheck
Version: 1.3.14
Severity: minor
Tags: patch

        Hey

 When I started doing "opportunistic TLS", Postfix warned of connections
 to site with self-signed certificates.  I would think logcheck should
 still warn about this by default, and hence I'm proposing the attached
 patch which proposes an alternate logcheck entry but disabled by
 default.

 This is against current git at time of writing.

   Cheers,
-- 
Loïc Minier

>From 0d71fad7511ed2ac735b00c65700c4d0afd80022 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Minier?= <[email protected]>
Date: Mon, 3 Oct 2011 13:37:18 +0200
Subject: [PATCH] i.d.s/postfix: opportunistic TLS alternate check

"Unverified TLS connection" should probably be raised by logcheck on
sites which want strict TLS behavior, but when configuring Postfix for
opportunistic TLS, these are frequent with sites using self-signed
certificates.  Offer an alternate logcheck entry which allows Untrusted
connections, but comment it out by default.
---
 rulefiles/linux/ignore.d.server/postfix |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/rulefiles/linux/ignore.d.server/postfix b/rulefiles/linux/ignore.d.server/postfix
index ce72d11..9f4b2e0 100644
--- a/rulefiles/linux/ignore.d.server/postfix
+++ b/rulefiles/linux/ignore.d.server/postfix
@@ -60,6 +60,9 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: warning: mailer loop: best MX for [^[:space:]]+ is local$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: warning: no MX host for [^[:space:]]+ has a valid (A|address) record$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: ((Anonymous|Trusted|Verified) )?TLS connection established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+ \([/[:digit:]]+ bits\)$
+# Uncomment this alternate version if you're using opportunistic TLS and want
+# to ignore Untrusted connections
+#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: ((Anonymous|Trusted|Verified|Untrusted) )?TLS connection established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+ \([/[:digit:]]+ bits\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: (Peer|Server) certificate could not be verified$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: Unverified: subject_CN=.*$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: Verified: subject_CN=.*, issuer=.*$
-- 
1.7.5.4


_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel

Reply via email to