Re: Questions concerning TLS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Questions concerning TLS

Wietse Venema
Darrell A. Sullivan, II:
> I am trying to implement TLS on our server for a client requirement. I
> believe I have the TLS settings correct, but I am not certain about what I
> am seeing in the logs and I am uncertain as to how to know if a message was
> delivered using TLS.
>
> Is there anything in the message headers that would indicate that it was
> delivered using TLS?

Postfix can add TLS message headers while RECEIVING mail.

/etc/postfix/main.cf:
    smtpd_tls_received_header = yes

Postfix currently does not add TLS message headers while delivering
mail. Adding such a header would not be a big deal. The code just
does not exist because no-one has needed it.

> I have the below log entries on some outgoing messages. I am certain that
> the first one is a failure since the group's server is setup with the entry
> "somecomp.com  MUST_NOPEERMATCH" is specified in tls_per_site and
> consequently the message is not delivered when TLS fails. Is this because
> they have a self signed certificate and we do not have the CA certificate
> for their root?
>
> In the second set of log entries, I am not certain if the message is
> delivered over the TLS connection or not. Is there some entry I can search
> my logs for to find out if any messages are being successfully transmitted
> over TLS?

This information is not part of routine logs. you can turn up TLS
logging, but I would not turn up smtp_tls_loglevel all the way, as
that also shows all the protocol negotiation stuff.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Questions concerning TLS

Jerry-107
On Fri, 22 Aug 2008 10:07:20 -0400 (EDT)
[hidden email] (Wietse Venema) wrote:

> Postfix can add TLS message headers while RECEIVING mail.
>
> /etc/postfix/main.cf:
>     smtpd_tls_received_header = yes
>
> Postfix currently does not add TLS message headers while delivering
> mail. Adding such a header would not be a big deal. The code just
> does not exist because no-one has needed it.

Personally, I would be in favor of it, if it really is not a big deal
nor going to take up too much of your time.

--
Jerry
[hidden email]


signature.asc (202 bytes) Download Attachment