On Mon, Feb 02, 2026 at 04:46:58PM -0500, Jim Seymour via Postfix-users wrote:
> The question is: Are these accurate descriptions and reasonable/useful
> display formats for a summary of Postfix log tls= data?
>
> SMTP TLS Connection Stats
> -------------------------
> 15 none
> 14 may
> 16 may:none
> 14 may?
> 21 encrypt
> 13 fingerprint
> 20 dane
> 22 dane:encrypt [fictional]
> 10 dane:halfdane [fictional]
> 14 dane:may [fictional]
> 14 dane?
> 14 secure
> 13 verify
The security levels are:
- "none":
* Also reported as "none?" on connection failure, ...
- "may":
* Also reported as "may?" on connection failure, ...
* Also report as "may:none" when STARTTLS is not available
- "encrypt":
* Also reported as "encrypt?" on connection failure, ...
* Logged as "!encrypt" when STARTTLS is unavailable
tls=!encrypt, dsn=4.7.4, status=deferred
(TLS is required, but was not offered by ...)
* Possibly downgraded to "may" by "RequireTLS: no", in
which case currently logged like "may".
- "fingerprint":
* Just like encrypt, but the failure reason can be
authentication failure:
tls=!fingerprint, dsn=4.7.5,
status=undeliverable (Server certificate not verified)
- "half-dane" (DANE MX host of non-DNSSEC domain):
* Downgrades to "encrypt" when all TLSA records unusable,
and then logged as "encrypt".
* Otherwise, behaves like "fingerprint", but TLS detail
logging reports "Trusted", never "Verified".
- "dane" (DANE validation, provided "usable" TLSA RRs published):
* Transparently falls back to "may" when no DNSSEC-signed TLSA
records are published, and then logged just like "may".
* Otherwise, just like "half-dane", but logged as "Verified".
- "dane-only" (DANE validation, provided "usable" TLSA RRs published):
* Policy failure on absence of TLSA records, but for now in that case
the policy logged is "unknown", because no actual connections happen,
all the MX hosts are skipped (relay=none):
postfix/smtp[433890]: warning: TLS policy lookup for
<domain>/<mx-host1>: no TLSA records found
postfix/smtp[433890]: warning: TLS policy lookup for
<domain>/<mx-host2>: no TLSA records found
postfix/smtp[433890]: warning: TLS policy lookup for
<domain>/<mx-host3>: no TLSA records found
postfix/smtp[433890]: warning: TLS policy lookup for
<domain>/<mx-host4>: no TLSA records found
postfix/smtp[433890]: C27869355BB: to=<[email protected]>,
relay=none, delay=1.9, delays=0.08/0.01/1.8/0,
tls=unknown?, dsn=4.7.5, status=undeliverable (no TLSA records
found)
* Otherwise, just like "fingerprint".
tls=dane-only, dsn=2.1.5, status=deliverable (250 2.1.5 Ok)
- "verified" & "secure" (differ only in default hostname patterns):
* Just like "fingerprint", but match the DNS name in a trusted
certificate chain instead of server public key or full
end-entity (EE or leaf) certificate fingerprint.
> SMTP TLS Policy Diagnostics
> ---------------------------
> 25 !requiretls:noencryption
> 22 requiretls:none
> 20 !requiretls:nostarttls
> 19 requiretls
> 17 !requiretls:none
> 16 requiretls?
> 15 requiretls:nocertmatch
> 14 requiretls:nostarttls
> 13 !requiretls:nocertmatch
I'll leave it to Wietse to comment on these.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
