Jim Seymour via Postfix-users:
> On Fri, 30 Jan 2026 14:53:49 -0500 (EST)
> Wietse Venema via Postfix-users <[email protected]> wrote:
>
> > Jim Seymour via Postfix-users:
> > > On Fri, 30 Jan 2026 13:43:40 -0500 (EST)
> > > Wietse Venema via Postfix-users <[email protected]> wrote:
> > >
> > > > Jim Seymour via Postfix-users:
> > > > > Hi Wietse,
> > > > >
> > > > > I presume that if tls=none there will be no policies following
> > > > > that, as there will (?) be with the other security levels?
> > > >
> > > > Depending on the requiretls policy, Postfix will log
> > > >
> > > > tls=none/!requiretls:noencryption
> > > > 'Enforce' or 'opportunistic+starttls' policy violation. No
> > > > connection was made because the TLS security policy disabled
> > > > encryption.
> > >
> > > Ok. Let me put it another way: Will *all* security levels
> > > *always* be followed by one-or-more policies?
> >
> > There will be requiretls=mumble logging only when a mesage
> > requested REQUIRETLS. And that can happen only when Postfix is
> > configured to support REQUIRETLS.
> >
> > I expect that the same will be the case for other tls-dependent
> > feartures.
>
> Hmmm... I'm not certain I'm being clear. Or I'm just slow today.
>
> If I snag "tls=..." will the level *always* be followed by
> one-or-more policies, or might levels be found in the logs without
> policies?
NOT alwys. The statgus of a policy feature (like requiretls) is
logged ONLY if that policy feature is enabled in Postfix, AND with
REQUIRETLS, if the feature is activated by the sender.
> E.g.: Am I going to ever see:
>
> ... delays=0.5/0/0/0.01, tls=level, dsn=2.0.0, ...
>
> ?
That is what most of my TLS status logging looks like.
> And, if so, will their be a trailing ":"?
>
> E.g.:
>
> ... delays=0.5/0/0/0.01, tls=level:, dsn=2.0.0, ...
Never at the end. Each field is either what Postfix wanted (no
colon), or what-it-wanted:what-it-got (one colon).
...tls=none, ... (want: plaintext, got: plaintext)
..., tls=may, ... (want: opportunistic TLS, got: opportunistic TLS)
..., tls=may:none, ... (want: opportunistic TLS, got: plaintext)
..., tls=blah/foo:bar, ... (want: foo, got: bar)
It is a lot of information compressed into a few fields. Otherwise
it would be scattered over multiple logfile records and that would
make analysis difficult.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
