DANE logs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Mal
Reply | Threaded
Open this post in threaded view
|

DANE logs

Mal
Hello

Wondering if Postfix logs any DANE operations?

Postfix MTAs configured:
>
smtp_use_tls = yes
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec

MTA hostnames pass various online SMTP TLS checkers  (like https://www.huque.com/bin/danecheck ).

Mal

Reply | Threaded
Open this post in threaded view
|

Re: DANE logs

Benny Pedersen-2
Mal skrev den 2017-10-13 06:53:

> MTA hostnames pass various online SMTP TLS checkers  (like
> https://www.huque.com/bin/danecheck ).

posttls-finger localhost

grep logs for Verified

there is not anymore to find for dane hosts in logs
Reply | Threaded
Open this post in threaded view
|

Re: DANE logs

Wilfried.Essig@Essignetz.de
In reply to this post by Mal

Possibly setting smtp_tls_loglevel to "1", or higher, will help.

A warning from the docs: "Do not use "smtp_tls_loglevel = 2" or higher
except in case of problems. Use of loglevel 4 is strongly discouraged."

(Same with smtpd_tls_loglevel for incomming connections.)


Willi


Am 13.10.2017 um 06:53 schrieb Mal:

> Hello
>
> Wondering if Postfix logs any DANE operations?
>
> Postfix MTAs configured:
>>
> smtp_use_tls = yes
> smtp_tls_security_level = dane
> smtp_dns_support_level = dnssec
>
> MTA hostnames pass various online SMTP TLS checkers  (like https://www.huque.com/bin/danecheck ).
>
> Mal
>
Reply | Threaded
Open this post in threaded view
|

Re: DANE logs

Viktor Dukhovni
In reply to this post by Mal
On Fri, Oct 13, 2017 at 04:53:57AM +0000, Mal wrote:

> Wondering if Postfix logs any DANE operations?

With DANE turned on, when you send email to a destination with
DNSSEC and correctly configured TLSA records, the delivery is logged
as "Verified" at smtp_tls_loglevel=1.  Barring any explicit tls
policies for some special domains, anything that is logged as "Verified"
used DANE to do reach that state.

> smtp_use_tls = yes
> smtp_tls_security_level = dane
> smtp_dns_support_level = dnssec
>
> MTA hostnames pass various online SMTP TLS checkers
> (like https://www.huque.com/bin/danecheck ).

While it is good to enable DANE TLSA records for your own MTA, so
that *other* domains can send you email securely, this has nothing
to do with how your own outbound mail is logged.  In the inbound
direction the receiving MTA is passive, and does not know how or
whether the sending MTA verified its certificate.

Some better-known DANE domains, that you might encounter in your
logs, if you happen to correspond with any of those:

    gmx.at
    nic.br
    registro.br
    gmx.ch
    open.ch
    switch.ch
    gmx.com
    mail.com
    solvinity.com
    t-2.com
    trashmail.com
    bayern.de
    bund.de
    freenet.de
    gmx.de
    jpberlin.de
    lrz.de
    mail.de
    posteo.de
    ruhr-uni-bochum.de
    tum.de
    uni-erlangen.de
    unitybox.de
    unitymedia.de
    web.de
    tilburguniversity.edu
    gmx.net
    t-2.net
    xs4all.net
    asp4all.nl
    bhosted.nl
    bit.nl
    otvi.nl
    uvt.nl
    xs4all.nl
    domeneshop.no
    debian.org
    freebsd.org
    gentoo.org
    ietf.org
    isc.org
    lazarus-ide.org
    netbsd.org
    openssl.org
    samba.org
    torproject.org
    t-2.si
    mail.co.uk
    govtrack.us

--
        Viktor.
Mal
Reply | Threaded
Open this post in threaded view
|

Re: DANE logs

Mal

Very helpful..


On 13/10/2017 7:13 PM, Viktor Dukhovni wrote:
> On Fri, Oct 13, 2017 at 04:53:57AM +0000, Mal wrote:
>
>> Wondering if Postfix logs any DANE operations?
>
> With DANE turned on, when you send email to a destination with
> DNSSEC and correctly configured TLSA records, the delivery is logged
> as "Verified" at smtp_tls_loglevel=1.  Barring any explicit tls
> policies for some special domains, anything that is logged as "Verified"
> used DANE to do reach that state.

Is loglevel=1 the only level it logs the verified entry on ?  Or is this
the minimum logging level.  ie, when verbose OR very verbose you will
also see it.

> While it is good to enable DANE TLSA records for your own MTA, so
> that *other* domains can send you email securely, this has nothing
> to do with how your own outbound mail is logged.  In the inbound
> direction the receiving MTA is passive, and does not know how or
> whether the sending MTA verified its certificate.
>

Pretty good list to check against.

Mal
Reply | Threaded
Open this post in threaded view
|

Re: DANE logs

Viktor Dukhovni
On Fri, Oct 13, 2017 at 08:35:10PM +1030, Mal wrote:

> > With DANE turned on, when you send email to a destination with
> > DNSSEC and correctly configured TLSA records, the delivery is logged
> > as "Verified" at smtp_tls_loglevel=1.  Barring any explicit tls
> > policies for some special domains, anything that is logged as "Verified"
> > used DANE to do reach that state.
>
> Is loglevel=1 the only level it logs the verified entry on ?  Or is this
> the minimum logging level.  ie, when verbose OR very verbose you will
> also see it.

It is the minimum, but since you should NOT be using any higher
level the question is not especially relevant.  With the higher
levels, the information in question is liable to be drowned out by
all the excess noise, and delivery performance may suffer significantly
from the logging overhead.  Some logging services might even start
dropping log messages and the wanted messages might be lost.

--
        Viktor.