Only logging from a connection when an unrelated error is forced in main.cf

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Only logging from a connection when an unrelated error is forced in main.cf

Gerben Wierda
Using postfix 3.4.6 on macOS. Using maillog as syslog is broken on macOS.

The postfix server is running on 192.168.2.66, dovecot and other parts of the mail setup not yet. I am connecting from 192.168.2.67 on port 25, using telnet. I’m issuing an HELO and a VRFY (turned on temporarily in main.cf). I’ve set 192.168.2.67 in the debug_peer_list.

When I introduce an error in main.cf (the file for check_client_access does not exist), 

debug_peer_level = 2
debug_peer_list = 192.168.2.67
check_client_access regexp:/opt/local/etc/postfix/error/rna_rbl_whitelist_clients

I see debugging info when I connectusing telnet.

Oct 06 13:16:17 mail /postfix-script[11198]: refreshing the Postfix mail system
Oct 06 13:16:17 mail postfix/master[11129]: reload -- version 3.4.6, configuration /opt/local/etc/postfix
Oct 06 13:16:37 mail postfix/smtpd[11208]: error: open /opt/local/etc/postfix/error/rna_rbl_whitelist_clients: No such file or directory
Oct 06 13:16:40 mail postfix/smtpd[11208]: connect from unknown[192.168.2.67]
Oct 06 13:16:40 mail postfix/smtpd[11208]: smtp_stream_setup: maxtime=300 enable_deadline=0
Oct 06 13:16:40 mail postfix/smtpd[11208]: match_hostname: smtpd_client_event_limit_exceptions: unknown ~? 127.0.0.0/8
Oct 06 13:16:40 mail postfix/smtpd[11208]: match_hostaddr: smtpd_client_event_limit_exceptions: 192.168.2.67 ~? 127.0.0.0/8
Oct 06 13:16:40 mail postfix/smtpd[11208]: match_hostname: smtpd_client_event_limit_exceptions: unknown ~? 192.168.2.0/24
Oct 06 13:16:40 mail postfix/smtpd[11208]: match_hostaddr: smtpd_client_event_limit_exceptions: 192.168.2.67 ~? 192.168.2.0/24
Oct 06 13:16:40 mail postfix/smtpd[11208]: report connect to all milters
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter_macro_lookup: "j"
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter_macro_lookup: result "mail.rna.nl"
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter_macro_lookup: "{daemon_name}"
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter_macro_lookup: result "mail.rna.nl"
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter_macro_lookup: "{daemon_addr}"
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter_macro_lookup: result "192.168.2.66"
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter_macro_lookup: "v"
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter_macro_lookup: result "Postfix 3.4.6"
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter8_connect: non-protocol events for protocol version 6: 
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter8_connect: transport=unix endpoint=/opt/local/var/run/rspamd/milter.sock
Oct 06 13:16:40 mail postfix/smtpd[11208]: warning: connect to Milter service unix:/opt/local/var/run/rspamd/milter.sock: No such file or directory
Oct 06 13:16:40 mail postfix/smtpd[11208]: milter8_conn_event: skip milter unix:/opt/local/var/run/rspamd/milter.sock
Oct 06 13:16:40 mail postfix/smtpd[11208]: > unknown[192.168.2.67]: 220 mail.rna.nl ESMTP Postfix
Oct 06 13:16:40 mail postfix/smtpd[11208]: watchdog_pat: 0x7fdc9c42ed90
Oct 06 13:17:08 mail postfix/smtpd[11208]: < unknown[192.168.2.67]: quit
Oct 06 13:17:08 mail postfix/smtpd[11208]: > unknown[192.168.2.67]: 221 2.0.0 Bye
Oct 06 13:17:08 mail postfix/smtpd[11208]: match_hostname: smtpd_client_event_limit_exceptions: unknown ~? 127.0.0.0/8
Oct 06 13:17:08 mail postfix/smtpd[11208]: match_hostaddr: smtpd_client_event_limit_exceptions: 192.168.2.67 ~? 127.0.0.0/8
Oct 06 13:17:08 mail postfix/smtpd[11208]: match_hostname: smtpd_client_event_limit_exceptions: unknown ~? 192.168.2.0/24
Oct 06 13:17:08 mail postfix/smtpd[11208]: match_hostaddr: smtpd_client_event_limit_exceptions: 192.168.2.67 ~? 192.168.2.0/24
Oct 06 13:17:08 mail postfix/smtpd[11208]: disconnect event to all milters
Oct 06 13:17:08 mail postfix/smtpd[11208]: milter8_disc_event: skip quit milter unix:/opt/local/var/run/rspamd/milter.sock
Oct 06 13:17:08 mail postfix/smtpd[11208]: disconnect from unknown[192.168.2.67] quit=1 commands=1
Oct 06 13:17:08 mail postfix/smtpd[11208]: free all milters
Oct 06 13:17:08 mail postfix/smtpd[11208]: free milter unix:/opt/local/var/run/rspamd/milter.sock
Oct 06 13:17:08 mail postfix/smtpd[11208]: name_mask: no_address_mappings

When I remove the forced error

check_client_access regexp:/opt/local/etc/postfix/rna_rbl_whitelist_clients

I see nothing. No “connect from unknown[192.168.2.67]”. Nothing. This baffles me. Why do I only see logging in my maillog (including debug_peer) when I introduce an unrelated error in main.cf? I’d like to see logging for each mail delivery.

Reply | Threaded
Open this post in threaded view
|

Re: Only logging from a connection when an unrelated error is forced in main.cf

Wietse Venema
Gerben Wierda:
> When I remove the forced error
>
> check_client_access regexp:/opt/local/etc/postfix/rna_rbl_whitelist_clients
>
> I see nothing. No ?connect from unknown[192.168.2.67]?. Nothing.
> This baffles me. Why do I only see logging in my maillog (including
> debug_peer) when I introduce an unrelated error in main.cf? I?d
> like to see logging for each mail delivery.

With confiuration error:

# postconf maillog_file debug_peer_list smtpd_client_restrictions
maillog_file = /tmp/log/maillog
debug_peer_list = 127.0.0.1
smtpd_client_restrictions = regexp:/non/existent
# date; telnet 127.0.0.1 25
Sun Oct  6 10:05:53 EDT 2019
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 tail.porcupine.org ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.
#

Logfile:
Oct 06 10:04:03 tail postfix/master[2062]: reload -- version 3.5-20190922, configuration /etc/postfix
Oct 06 10:05:53 tail postfix/smtpd[2518]: error: open /non/existent: No such file or directory
Oct 06 10:05:53 tail postfix/smtpd[2518]: connect from localhost[127.0.0.1]
Oct 06 10:05:53 tail postfix/smtpd[2518]: smtp_stream_setup: maxtime=300 enable_deadline=0
Oct 06 10:05:53 tail postfix/smtpd[2518]: > localhost[127.0.0.1]: 220 tail.porcupine.org ESMTP Postfix
...
Oct 06 10:05:58 tail postfix/smtpd[2518]: < localhost[127.0.0.1]: quit
Oct 06 10:05:58 tail postfix/smtpd[2518]: > localhost[127.0.0.1]: 221 2.0.0 Bye
Oct 06 10:05:58 tail postfix/smtpd[2518]: disconnect from localhost[127.0.0.1] quit=1 commands=1

After removing the configuration error:

# postconf maillog_file debug_peer_list smtpd_client_restrictions
maillog_file = /tmp/log/maillog
debug_peer_list = 127.0.0.1
smtpd_client_restrictions =
# date; telnet 127.0.0.1 25
Sun Oct  6 10:08:18 EDT 2019
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 tail.porcupine.org ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.
#

Logfile:
Oct 06 10:08:02 tail postfix/master[2062]: reload -- version 3.5-20190922, configuration /etc/postfix
Oct 06 10:08:18 tail postfix/smtpd[2545]: connect from localhost[127.0.0.1]
Oct 06 10:08:18 tail postfix/smtpd[2545]: smtp_stream_setup: maxtime=300 enable_deadline=0
Oct 06 10:08:18 tail postfix/smtpd[2545]: > localhost[127.0.0.1]: 220 tail.porcupine.org ESMTP Postfix
...
Oct 06 10:08:20 tail postfix/smtpd[2545]: < localhost[127.0.0.1]: quit
Oct 06 10:08:20 tail postfix/smtpd[2545]: > localhost[127.0.0.1]: 221 2.0.0 Bye
Oct 06 10:08:20 tail postfix/smtpd[2545]: disconnect from localhost[127.0.0.1] quit=1 commands=1

In other words, this still works as intended. Code changes since
Postfix 3.4.5 are totally unrelated to error handling or logging.

        Wietse

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Only logging from a connection when an unrelated error is forced in main.cf

Wietse Venema
In reply to this post by Gerben Wierda
Gerben Wierda:
> For some reason, I don?t get smtpd logging at all. E.g. when sending a mail from Apple Mail.app MUA, this is all I see:
>
> Oct 06 22:42:21 mail postfix/cleanup[1020]: AE6C5504A6F: message-id=<[hidden email]>
> Oct 06 22:42:21 mail postfix/qmgr[350]: AE6C5504A6F: from=<[hidden email]>, size=728, nrcpt=1 (queue active)
> Oct 06 22:42:21 mail postfix/qmgr[350]: AE6C5504A6F: removed

I note that the SMTP client logging is also missing.

Also, the smtpd process logs the "map open" error before the process
goes into the chroot jail and before it drops privileges.

Maybe the missing logging has to do with the time when the first
event is logged.

If it is chroot related, try turning off smtpd chroot in master.cf,
and do "postfix reload".

If chroot does not make the difference, try turning off smtpd
'unprivileged' in master.cf, and do "postfix reload".

I don't know why either of these could made a difference, but then
MacOS is not really UNIX.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Only logging from a connection when an unrelated error is forced in main.cf

Gerben Wierda
On 7 Oct 2019, at 01:10, Wietse Venema <[hidden email]> wrote:

Gerben Wierda:
For some reason, I don?t get smtpd logging at all. E.g. when sending a mail from Apple Mail.app MUA, this is all I see:

Oct 06 22:42:21 mail postfix/cleanup[1020]: AE6C5504A6F: message-id=<[hidden email]>
Oct 06 22:42:21 mail postfix/qmgr[350]: AE6C5504A6F: from=<[hidden email]>, size=728, nrcpt=1 (queue active)
Oct 06 22:42:21 mail postfix/qmgr[350]: AE6C5504A6F: removed

I note that the SMTP client logging is also missing.

Also, the smtpd process logs the "map open" error before the process
goes into the chroot jail and before it drops privileges.

Aha.

Maybe the missing logging has to do with the time when the first
event is logged.

If it is chroot related, try turning off smtpd chroot in master.cf,
and do "postfix reload”.

Indeed, it is. If I turn chroot from y to n, I get my logging.

Oct 07 01:26:20 mail postfix/master[18890]: daemon started -- version 3.4.6, configuration /opt/local/etc/postfix
Oct 07 01:26:38 mail submission/smtpd[18897]: connect from hermione.rna.nl[192.168.2.86]
Oct 07 01:26:38 mail submission/smtpd[18897]: 8D1F851E378: client=hermione.rna.nl[192.168.2.86]
Oct 07 01:26:38 mail postfix/cleanup[18901]: 8D1F851E378: message-id=<[hidden email]>
Oct 07 01:26:38 mail postfix/qmgr[18892]: 8D1F851E378: from=<[hidden email]>, size=683, nrcpt=1 (queue active)
Oct 07 01:26:38 mail postfix/qmgr[18892]: 8D1F851E378: removed
Oct 07 01:27:01 mail postfix/postscreen[18907]: cache btree:/opt/local/var/lib/postfix/postscreen_cache full cleanup: retained=0 dropped=0 entries
Oct 07 01:27:01 mail postfix/postscreen[18907]: CONNECT from [127.0.0.1]:49401 to [127.0.0.1]:25
Oct 07 01:27:01 mail postfix/postscreen[18907]: WHITELISTED [127.0.0.1]:49401
Oct 07 01:27:01 mail postfix/smtpd[18908]: connect from localhost[127.0.0.1]
Oct 07 01:27:14 mail postfix/smtpd[18908]: disconnect from localhost[127.0.0.1] quit=1 commands=1
Oct 07 01:27:38 mail submission/smtpd[18897]: disconnect from hermione.rna.nl[192.168.2.86] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

So, now the question becomes, how do I combine chroot smtpd/submission/smtp with postlog?

Strange though (for me at least), because I was under the impression that smtpd and friends were logging to postlog which is not running in a chroot jail so should be able to log everything and not just  qmgr and friends

Here is more from master.cf (now without chroot for smtpd and friends)

smtp   inet n - n - 1 postscreen
smtpd   pass - - n - - smtpd
dnsblog   unix - - n - 0 dnsblog
tlsproxy  unix - - n - 0 tlsproxy

submission inet n - n - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o syslog_name=submission

# smtps inet port 465 used to be mentioned here, but IANA has removed port
# 465 for 'SMTPS' in 2019. submission is now the only TLS-secured port

# postfix internals (to be found in /opt/local/var/spool/postfix/)
pickup   unix n - n 60 1 pickup
cleanup   unix n - n - 0 cleanup
qmgr   unix n - n 300 1 qmgr
tlsmgr   unix - - n 1000? 1 tlsmgr
rewrite   unix - - n - - trivial-rewrite
bounce   unix - - n - 0 bounce
defer   unix - - n - 0 bounce
trace   unix - - n - 0 bounce
verify   unix - - n - 1 verify
flush   unix n - n 1000? 0 flush
proxymap  unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp   unix - - y - - smtp
relay   unix - - y - - smtp
-o syslog_name=postfix/$service_name
showq   unix n - n - - showq
error   unix - - n - - error
retry   unix - - n - - error
discard   unix - - n - - discard
local   unix - n n - - local
virtual   unix - n n - - virtual
lmtp   unix - - y - - lmtp
anvil   unix - - n - 1 anvil
scache   unix - - n - 1 scache
postlog   unix-dgram n - n - 1 postlogd


G

If chroot does not make the difference, try turning off smtpd
'unprivileged' in master.cf, and do "postfix reload".

I don't know why either of these could made a difference, but then
MacOS is not really UNIX.



Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Only logging from a connection when an unrelated error is forced in main.cf

Gerben Wierda
And I forgot to mention, now that it isn’t running chroot-ed, the DNS reverse lookups suddenly also work.

Apparently, running chrooted is somewhat more difficult that imagined.

Oct 07 01:26:20 mail postfix/master[18890]: daemon started -- version 3.4.6, configuration /opt/local/etc/postfix
Oct 07 01:26:38 mail submission/smtpd[18897]: connect from hermione.rna.nl[192.168.2.86]
Oct 07 01:26:38 mail submission/smtpd[18897]: 8D1F851E378: client=hermione.rna.nl[192.168.2.86]
Oct 07 01:26:38 mail postfix/cleanup[18901]: 8D1F851E378: message-id=<[hidden email]>
Oct 07 01:26:38 mail postfix/qmgr[18892]: 8D1F851E378: from=<[hidden email]>, size=683, nrcpt=1 (queue active)
Oct 07 01:26:38 mail postfix/qmgr[18892]: 8D1F851E378: removed
Oct 07 01:27:01 mail postfix/postscreen[18907]: cache btree:/opt/local/var/lib/postfix/postscreen_cache full cleanup: retained=0 dropped=0 entries
Oct 07 01:27:01 mail postfix/postscreen[18907]: CONNECT from [127.0.0.1]:49401 to [127.0.0.1]:25
Oct 07 01:27:01 mail postfix/postscreen[18907]: WHITELISTED [127.0.0.1]:49401
Oct 07 01:27:01 mail postfix/smtpd[18908]: connect from localhost[127.0.0.1]
Oct 07 01:27:14 mail postfix/smtpd[18908]: disconnect from localhost[127.0.0.1] quit=1 commands=1
Oct 07 01:27:38 mail submission/smtpd[18897]: disconnect from hermione.rna.nl[192.168.2.86] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

Reply | Threaded
Open this post in threaded view
|

Re: Only logging from a connection when an unrelated error is forced in main.cf

Wietse Venema
In reply to this post by Gerben Wierda
Gerben Wierda:
> > If it is chroot related, try turning off smtpd chroot in master.cf,
> > and do "postfix reload?.
>
> Indeed, it is. If I turn chroot from y to n, I get my logging.

Great. Do you insist on chroot? If so, does MacOS have strace or
ktrace? Maybe you can find out if there is a difference in system
call results with/without chroot, like some missing file.

I can't comment on MacOS hostname lookup architecture.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Only logging from a connection when an unrelated error is forced in main.cf

Wietse Venema
Wietse Venema:
> Gerben Wierda:
> > > If it is chroot related, try turning off smtpd chroot in master.cf,
> > > and do "postfix reload?.
> >
> > Indeed, it is. If I turn chroot from y to n, I get my logging.
>
> Great. Do you insist on chroot? If so, does MacOS have strace or
> ktrace? Maybe you can find out if there is a difference in system
> call results with/without chroot, like some missing file.

Turns out it is not hard to create the postlog client socket early
(i.e. before chroot). I drafted some code during my train commute,
neds to be cleaned up and tested. Maybe that will be sufficient
to make logging work on MacOS.

(A different approach, inheriting the postlog client socket from
the master, would have better guarantees of working, but would
require some invasive changes in the master-child interface, plus
changes in the postlog client code.)

> I can't comment on MacOS hostname lookup architecture.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Only logging from a connection when an unrelated error is forced in main.cf

Gerben Wierda

> On 7 Oct 2019, at 15:50, Wietse Venema <[hidden email]> wrote:
>
> Wietse Venema:
>> Gerben Wierda:
>>>> If it is chroot related, try turning off smtpd chroot in master.cf,
>>>> and do "postfix reload?.
>>>
>>> Indeed, it is. If I turn chroot from y to n, I get my logging.
>>
>> Great. Do you insist on chroot? If so, does MacOS have strace or
>> ktrace? Maybe you can find out if there is a difference in system
>> call results with/without chroot, like some missing file.
>
> Turns out it is not hard to create the postlog client socket early
> (i.e. before chroot). I drafted some code during my train commute,
> neds to be cleaned up and tested. Maybe that will be sufficient
> to make logging work on MacOS.

That sounds like a plan. For the time being I will run non-chrooted (postfix is pretty secure after all).

> (A different approach, inheriting the postlog client socket from
> the master, would have better guarantees of working, but would
> require some invasive changes in the master-child interface, plus
> changes in the postlog client code.)
>
>> I can't comment on MacOS hostname lookup architecture.

I too have no idea. Might also require some sort of socket access in the runtime libraries.

There were instructions to copy /etc/services and /etc/hosts to the chroot root (which I did). The first one suggests something with DNS.

G
Reply | Threaded
Open this post in threaded view
|

PATCH: Only logging from a connection when an unrelated error is forced in main.cf

Wietse Venema
Gerben Wierda:
> > Turns out it is not hard to create the postlog client socket early
> > (i.e. before chroot). I drafted some code during my train commute,
> > needs to be cleaned up and tested. Maybe that will be sufficient
> > to make logging work on MacOS.
>
> That sounds like a plan. For the time being I will run non-chrooted
> (postfix is pretty secure after all).

See patch below.

        Wietse

diff -ur /var/tmp/postfix-3.5-20190922/src/global/maillog_client.c src/global/maillog_client.c
--- /var/tmp/postfix-3.5-20190922/src/global/maillog_client.c 2019-01-30 19:41:59.000000000 -0500
+++ src/global/maillog_client.c 2019-10-07 19:14:33.000000000 -0400
@@ -264,6 +264,8 @@
  }
  if (service_path != import_service_path)
     myfree(service_path);
+ msg_logger_control(CA_MSG_LOGGER_CTL_CONNECT_NOW,
+   CA_MSG_LOGGER_CTL_END);
     }
 
     /*
diff -ur /var/tmp/postfix-3.5-20190922/src/util/msg_logger.c src/util/msg_logger.c
--- /var/tmp/postfix-3.5-20190922/src/util/msg_logger.c 2019-01-29 17:24:42.000000000 -0500
+++ src/util/msg_logger.c 2019-10-07 19:14:33.000000000 -0400
@@ -62,6 +62,10 @@
 /* .IP CA_MSG_LOGGER_CTL_DISABLE
 /* Disable the msg_logger. This remains in effect until the
 /* next msg_logger_init() call.
+/* .IP CA_MSG_LOGGER_CTL_CONNECT_NOW
+/* Close the logging socket if it was already open, and open
+/* the logging socket now, if permitted by current settings.
+/* Otherwise, the open is delayed until a logging request.
 /* SEE ALSO
 /* msg(3)  diagnostics module
 /* BUGS
@@ -111,6 +115,8 @@
 static int msg_logger_fallback_only_override = 0;
 static int msg_logger_enable = 0;
 
+#define MSG_LOGGER_NEED_SOCKET() (msg_logger_fallback_only_override == 0)
+
  /*
   * Other state.
   */
@@ -130,6 +136,25 @@
 #define STR(x) vstring_str(x)
 #define LEN(x) VSTRING_LEN(x)
 
+/* msg_logger_connect - connect to logger service */
+
+static void msg_logger_connect(void)
+{
+    if (msg_logger_sock == MSG_LOGGER_SOCK_NONE) {
+ msg_logger_sock = unix_dgram_connect(msg_logger_unix_path, BLOCKING);
+ if (msg_logger_sock >= 0)
+    close_on_exec(msg_logger_sock, CLOSE_ON_EXEC);
+    }
+}
+
+/* msg_logger_disconnect - disconnect from logger service */
+
+static void msg_logger_disconnect(void)
+{
+    if (msg_logger_sock != MSG_LOGGER_SOCK_NONE)
+ (void) close(msg_logger_sock);
+    msg_logger_sock = MSG_LOGGER_SOCK_NONE;
+}
 
 /* msg_logger_print - log info to service or file */
 
@@ -203,12 +228,8 @@
      * will report ENOENT if the endpoint does not exist, ECONNREFUSED if no
      * server has opened the endpoint.
      */
-    if (msg_logger_fallback_only_override == 0
- && msg_logger_sock == MSG_LOGGER_SOCK_NONE) {
- msg_logger_sock = unix_dgram_connect(msg_logger_unix_path, BLOCKING);
- if (msg_logger_sock >= 0)
-    close_on_exec(msg_logger_sock, CLOSE_ON_EXEC);
-    }
+    if (MSG_LOGGER_NEED_SOCKET())
+ msg_logger_connect();
     if (msg_logger_sock != MSG_LOGGER_SOCK_NONE) {
  send(msg_logger_sock, STR(msg_logger_buf), LEN(msg_logger_buf), 0);
     } else if (msg_logger_fallback_fn) {
@@ -286,10 +307,7 @@
  switch (name) {
  case MSG_LOGGER_CTL_FALLBACK_ONLY:
     msg_logger_fallback_only_override = 1;
-    if (msg_logger_sock != MSG_LOGGER_SOCK_NONE) {
- (void) close(msg_logger_sock);
- msg_logger_sock = MSG_LOGGER_SOCK_NONE;
-    }
+    msg_logger_disconnect();
     break;
  case MSG_LOGGER_CTL_FALLBACK_FN:
     msg_logger_fallback_fn = va_arg(ap, MSG_LOGGER_FALLBACK_FN);
@@ -297,6 +315,11 @@
  case MSG_LOGGER_CTL_DISABLE:
     msg_logger_enable = 0;
     break;
+ case MSG_LOGGER_CTL_CONNECT_NOW:
+    msg_logger_disconnect();
+    if (MSG_LOGGER_NEED_SOCKET())
+ msg_logger_connect();
+    break;
  default:
     msg_panic("%s: bad name %d", myname, name);
  }
diff -ur /var/tmp/postfix-3.5-20190922/src/util/msg_logger.h src/util/msg_logger.h
--- /var/tmp/postfix-3.5-20190922/src/util/msg_logger.h 2019-01-29 17:24:42.000000000 -0500
+++ src/util/msg_logger.h 2019-10-07 19:14:33.000000000 -0400
@@ -35,6 +35,7 @@
 #define MSG_LOGGER_CTL_FALLBACK_ONLY 1
 #define MSG_LOGGER_CTL_FALLBACK_FN 2
 #define MSG_LOGGER_CTL_DISABLE 3
+#define MSG_LOGGER_CTL_CONNECT_NOW 4
 
 /* Safer API: type-checked arguments, external use. */
 #define CA_MSG_LOGGER_CTL_END MSG_LOGGER_CTL_END
@@ -43,6 +44,7 @@
  MSG_LOGGER_CTL_FALLBACK_FN, CHECK_VAL(MSG_LOGGER_CTL, \
  MSG_LOGGER_FALLBACK_FN, (v))
 #define CA_MSG_LOGGER_CTL_DISABLE MSG_LOGGER_CTL_DISABLE
+#define CA_MSG_LOGGER_CTL_CONNECT_NOW MSG_LOGGER_CTL_CONNECT_NOW
 
 CHECK_VAL_HELPER_DCL(MSG_LOGGER_CTL, MSG_LOGGER_FALLBACK_FN);