> On Jun 12, 2019, at 3:40 PM, Stephen Satchell <l...@satchell.net> wrote:
>
> As has been suggested before, this is a perfect application for TCPDUMP
> with appropriate parameters on your edge server, and a script to
> interpret the data.
Many MTAs nowadays support STARTTLS, and a large fraction of MTA-to-MTA
SMTP traffic is encrypted:
https://transparencyreport.google.com/safer-email/
If the OP's server has (as it generally should):
smtp_tls_loglevel = 1
smtp_tls_security_level = may
or even better, with a local to the MTA host DNSSEC validating
resolver and 127.0.0.1 as the sole nameserver in /etc/resolv.conf:
smtp_tls_loglevel = 1
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
then much of the SMTP chatter will be inside TLS-encrypted TCP
traffic, and thus not available via "tcpdump".
The auditors should be more concerned with whether STARTTLS is
supported, than whether Postfix logs are somehow misrepresenting
delivery success/failure. The "additional confirmation" they
seek is unnecessary/pointless.
--
Viktor.
