smtp_tls_note_starttls_offer=yes not working?
Yang Zhang
should log when a server offers STARTTLS. However, I've been testing
among my own SMTP servers, and while I can verify that TLS is being
used (with "smtpd_tls_loglevel=1" on the smtpd side), I can't tell
what TLS capabilities the smtp (client) is seeing. I'm using Postfix
2.7.0.
How do I make smtp_tls_note_starttls_offer work? Thanks in advance.
[1] http://www.postfix.org/TLS_LEGACY_README.html
[2] http://www.postfix.org/postconf.5.html
--
Yang Zhang
http://yz.mit.edu/
Victor Duchovni
> According to the docs [1, 2], "smtp_tls_note_starttls_offer=yes"
> should log when a server offers STARTTLS.
Yes, when TLS is offered, but not used, because you have not enabled
opportunistic TLS, or when an opportunistic handshake fails and is
re-tried in plaintext.
/*
* Optionally log unused STARTTLS opportunities.
*/
if ((session->features & SMTP_FEATURE_STARTTLS) &&
var_smtp_tls_note_starttls_offer &&
session->tls_level <= TLS_LEV_NONE)
msg_info("Host offered STARTTLS: [%s]", session->host);
If you have "smtp_tls_security_level = may" or stronger, this
configuration parameter is not terribly useful.
> However, I've been testing
> among my own SMTP servers, and while I can verify that TLS is being
> used (with "smtpd_tls_loglevel=1" on the smtpd side), I can't tell
> what TLS capabilities the smtp (client) is seeing. I'm using Postfix
> 2.7.0.
Don't know what TLS capabilities you have in mind, but "note_tls_offer"
feature is a binary switch to log a missed opportunity to use "STARTTLS",
nothing more.
--
Viktor.
Wietse Venema
> According to the docs [1, 2], "smtp_tls_note_starttls_offer=yes"
> should log when a server offers STARTTLS.
No, that is not what the documentation says.
Wietse
smtp_tls_note_starttls_offer (default: no)
Log the hostname of a remote SMTP server that offers STARTTLS,
***when TLS is not already enabled for that server***.