Debug log level configuration

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Debug log level configuration

phoenixsagar
This post was updated on .
I want to configure postfix such that I get log level 4 for specific ip or
domain. And for rest of the cases it should give logs of log level 1
What I tried is :<main.cf configuration>
debug_peer_level = 4
debug_peer_list = <ip-address>

In this case postfix is not providing all debug logs.(May be providing log
level 1/2 logs for that ip. At this time smtp_tls_loglevel is set to 1)

I was expecting that I will get debug logs of level 4 as we get when we set
smtp_tls_loglevel = 4 <This option gives debug logs for all I want it only
for specific ip or host>

Kindly suggest configuration ? feasibility  ?



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Debug log level configuration

Ansgar Wiechers
On 2019-03-28 phoenixsagar wrote:

> I want to configure postfix such that I get log level 4 for specific ip or
> domain. And for rest of the cases it should give logs of log level 1
> What I tried is :
> debug_peer_level = 4
> debug_peer_list = <ip-address>
>
> In this case postfix is not providing all debug logs.(May be providing log
> level 2 logs)
>
> I was expecting that I will get debug logs of level 4 as we get when we set
> smtp_tls_loglevel = 4 <This option gives debug logs for all I want it only
> for specific ip or host>
>
> Kindly suggest configuration ? feasibility  ?

Please take a step back and describe the actual problem you're trying to
solve instead of what you perceive as the solution. Debug logging in
Postfix should not be required for any normal troubleshooting. What do
you think you need this for exactly?

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: Debug log level configuration

Wietse Venema
In reply to this post by phoenixsagar
phoenixsagar:
> I want to configure postfix such that I get log level 4 for specific ip or
> domain. And for rest of the cases it should give logs of log level 1
> What I tried is :
> debug_peer_level = 4
> debug_peer_list = <ip-address>
>
> In this case postfix is not providing all debug logs.(May be providing log
> level 2 logs)

There is nothing that logs above debug level 3.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Debug log level configuration

phoenixsagar
This post was updated on .
In reply to this post by Ansgar Wiechers
For one host certificate verification is failing randomly. I want to monitor
that particular host.
Specifically I want that depth and subject of certificate for which it is
marking certificate expired.
I have gone through pcaps but all certificates at that time are fine.

So I want debug logs enabled for particular host. This log line will be
dumped in log level 2. Currently I am not seeing this log line unless I go
for general log level 4 option.

Suggest me configuration for this use case ? How will I get certificate verification depth and subject line for one particular host<from tls_verify.c>. This line should get dumped if log level is 2. But this is not happening currently.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Debug log level configuration

Wietse Venema
phoenixsagar:

> For one host certificate verification is failing randomly. I want to monitor
> that particular host.
> Specifically I want that depth and subject of certificate for which it is
> marking certificate expired.
> I have gone through pcaps but all certificates at that time are fine.
>
> So I want debug logs enabled for particular host. This log line will be
> dumped in log level 2. Currently I am not seeing this log line unless I go
> for general log level 4 option.
>
> Suggest me configuration for this use case ?

debug_peer logging is specific to client name or IP address, not
applicable to TLS.

tls_loglevel is applicable to TLS, not specific to client name or
IP address.

Options:

- Set up an smtpd process (in master.cf) on a different IP
address or TCP Port and have the client connect to that.

- Same, but use an IP firewall redirect route to redirect that client
to the different TCP Port.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Debug log level configuration

Viktor Dukhovni
In reply to this post by phoenixsagar
> On Mar 28, 2019, at 8:35 AM, phoenixsagar <[hidden email]> wrote:
>
> For one host certificate verification is failing randomly. I want to monitor
> that particular host.
> Specifically I want that depth and subject of certificate for which it is
> marking certificate expired.
> I have gone through pcaps but all certificates at that time are fine.

If this is outbound SMTP, you can use a separate transport for that MX host's
destination domain (assuming a known, manageable list).  For that transport
(say "vsmtp") set:

  vsmtp unix ... smtp
    -o smtp_tls_loglevel=summary,untrusted,certmatch

and use the transport table to associate this with the destination(s) in
question.

The named log levels are not a stable feature of the smtp_tls_loglevel
public interface, but in the short run you can use them for debugging.

--
        Viktor.