A.Schulze via Postfix-users:
> Hello,
>
> inspecting my logs, I do not see the values, described in
> https://www.postfix.org/postconf.5.html#smtp_log_tls_feature_status
>
> 1) I see the value "tls=dane-only" for connections to @postfix.org
>
> Jan 06 20:58:38 mta postfix/smtp[10827]: 4dm26N1TFcz35x91N:
> to=<[email protected]>, relay=list.sys4.de[2a03:4000:20:189::195]:25,
> delay=2.7, delays=0.2/0.05/2.3/0.2, tls=dane-only, dsn=2.0.0, status=sent
> (250 2.0.0 Ok: queued as 4dm26W4P6HzyVX)
When the plug-in detects that a domain publishes a DANE policy, it
replies with a TLS security level 'dane-only', and that is what
Postfix logs.
> 2) I see the value "tls=secure" for connections to @gmail.com
>
> Jan 13 15:52:49 mail postfix/smtp[2955]: 4drC0J2JhHz14t5:
> to=<****@gmail.com>,
> relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1a]:25, delay=1.2,
> delays=0.2/0.03/0.5/0.44, tls=secure, dsn=2.0.0, status=sent (250 2.0.0 OK
> 1768315969 ffacd0b85a97d-432bd62e50csi32288510f8f.498 - gsmtp)
When a domain publishes an MTA-STS policy but no DANE, the policy
plugin replies with a TLS security level 'secure', and that is what
Postfix logs. Some details are determined with the
smtp_tls_enforce_sts_mx_patterns setting, available in Postfix >=
3.10.5.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
