Eric Shubert wrote: > Eric Shubert wrote: >> The todo file has a handfull of nice logging enhancements. Here's another. >> >> It'd be nice to have some indicator in the log of whether TLS was used >> on each session or not. This would allow easy verification that TLS is >> working on each message coming in. >> >> Thanks Sam. > > There's another aspect to this that Aleksander on the QMT list came > across. He noticed that when spamdyke's doing the TLS encryption, > there's no longer any indication in the message header that the message > was encrypted as it was received. When qmail (patched with TLS) accepts > a message using TLS, it notes that the message was received with > encryption. Since spamdyke is passing the message in clear text to > qmail, qmail no longer notes that TLS was used, even though spamdyke is > dutifully decoding the encrypted session. > > The bottom line to this is that there's no practical way to audit that > TLS is being used, or was used on a given message. I think this is a > significant shortfall, while more so in some environments than others. > > Would it be possible for spamdyke to add a Received-spamdyke header of > some sort that would indicate whether or not TLS was used? I imagine > that other relevant information about spamdyke could be included, but I > think Sam would have better ideas about this than I do. > > Thanks again Sam. >
Alexsander just pointed out that it probably won't be possible for spamdyke to add a received header to the message, as this would break DKIM. Looks like the only way to preserve the qmail encryption message in the headers would be to pass the message on to qmail using TLS if it's available (and only when spamdyke is using TLS with the sender of course). I'm not sure if the additional overhead would be worth it or not, but I expect not. It sure be nice though if the security of a message could be validated by examining its headers. Having an indication in the log is looking to be more important in light of this. Any ideas, Sam? -- -Eric 'shubes' _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
