TLS Logging per MsgId

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS Logging per MsgId

Matthias Schneider
Hi,

I would like to have the TLS state of a message in the final status=send
log line.
Currently the TLS information is only findable by searching for the
smtp[pid],
on big mail logs this can result in many false positive search results.

Jan  4 14:17:01 mailserver postfix/smtp[24344]: Anonymous TLS connection
established to example.com[x.x.x.x]:25: TLSv1.2 with cipher
AECDH-AES128-SHA (128/128 bits)
Jan  4 14:17:03 mailserver postfix/smtp[24344]: 3pH7lN0pKHzFGF5:
to=<[hidden email]>, relay=example.com[x.x.x.x]:25, delay=3.7,
delays=1.8/0/0.02/1.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
B15171A072C)

Is there a easy way to add this to smtp.c ?


Best Regards,

Matthias Schneider
Reply | Threaded
Open this post in threaded view
|

Re: TLS Logging per MsgId

Wietse Venema
Matthias Schneider:

> Hi,
>
> I would like to have the TLS state of a message in the final status=send
> log line.
> Currently the TLS information is only findable by searching for the
> smtp[pid],
> on big mail logs this can result in many false positive search results.
>
> Jan  4 14:17:01 mailserver postfix/smtp[24344]: Anonymous TLS connection
> established to example.com[x.x.x.x]:25: TLSv1.2 with cipher
> AECDH-AES128-SHA (128/128 bits)
> Jan  4 14:17:03 mailserver postfix/smtp[24344]: 3pH7lN0pKHzFGF5:
> to=<[hidden email]>, relay=example.com[x.x.x.x]:25, delay=3.7,
> delays=1.8/0/0.02/1.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
> B15171A072C)
>
> Is there a easy way to add this to smtp.c ?

No, but you could use a better stateful logfile analyzer. The TLS
session status is always logged with the name of the remote MTA
example.com[x.x.x.x]:25, and it is always logged before the status=
record.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: TLS Logging per MsgId

Matthias Schneider
Am 04.01.2016 um 15:29 schrieb Wietse Venema:

> Matthias Schneider:
>> Hi,
>>
>> I would like to have the TLS state of a message in the final status=send
>> log line.
>> Currently the TLS information is only findable by searching for the
>> smtp[pid],
>> on big mail logs this can result in many false positive search results.
>>
>> Jan  4 14:17:01 mailserver postfix/smtp[24344]: Anonymous TLS connection
>> established to example.com[x.x.x.x]:25: TLSv1.2 with cipher
>> AECDH-AES128-SHA (128/128 bits)
>> Jan  4 14:17:03 mailserver postfix/smtp[24344]: 3pH7lN0pKHzFGF5:
>> to=<[hidden email]>, relay=example.com[x.x.x.x]:25, delay=3.7,
>> delays=1.8/0/0.02/1.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
>> B15171A072C)
>>
>> Is there a easy way to add this to smtp.c ?
> No, but you could use a better stateful logfile analyzer. The TLS
> session status is always logged with the name of the remote MTA
> example.com[x.x.x.x]:25, and it is always logged before the status=
> record.
>
> Wietse
Wietse, Thank you for support!
I already tried to solve it that way, unfortunately the close of the TLS
connection is not logged, so i cannot delete it in memory.

Best regards
Matthias Schneider
Reply | Threaded
Open this post in threaded view
|

Re: TLS Logging per MsgId

Wietse Venema
Matthias Schneider:
> >> Is there a easy way to add this to smtp.c ?
> > No, but you could use a better stateful logfile analyzer. The TLS
> > session status is always logged with the name of the remote MTA
> > example.com[x.x.x.x]:25, and it is always logged before the status=
> > record.

Matthias Schneider:
> Wietse, Thank you for support!
> I already tried to solve it that way, unfortunately the close of the TLS
> connection is not logged, so i cannot delete it in memory.

Consider that an smtp(8) process makes only one connection at a
time. The close is therefore implied when the smtp process logs a
new "TLS established" record, or when it logs any activity with
a different example.com[x.x.x.x]:25.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: TLS Logging per MsgId

Markus Benning
Am Montag, den 04.01.2016, 10:21 -0500 schrieb Wietse Venema:
> > > No, but you could use a better stateful logfile analyzer. The TLS
> > > session status is always logged with the name of the remote MTA
> > > example.com[x.x.x.x]:25, and it is always logged before the
> > > status=
> > > record.
> Consider that an smtp(8) process makes only one connection at a
> time. The close is therefore implied when the smtp process logs a
> new "TLS established" record, or when it logs any activity with
> a different example.com[x.x.x.x]:25.

My log analyser "saftpresse" implements this:

https://metacpan.org/release/Log-Saftpresse

Theres a commandline interface "saftsumm" which tries to provide the
classic pflogsumm inteface.
Try '--tls-stats'

The saftpresse command implements a non-blocking log anaylser with
plugins. It is designed with output to elasticsearch and graphit in
mind.

The Postfix plugin included is based on the pflogsumm code but heavy
refactured and modularized.

There currently no packages, but i plan to provide debian packages and 
a docker image for non-debian users.

Markus
Reply | Threaded
Open this post in threaded view
|

Re: TLS Logging per MsgId

Markus Benning
Am Montag, den 04.01.2016, 20:40 +0100 schrieb Markus Benning:

> My log analyser "saftpresse" implements this:
>
> https://metacpan.org/release/Log-Saftpresse
>
> Theres a commandline interface "saftsumm" which tries to provide the
> classic pflogsumm inteface.
> Try '--tls-stats'
>
> The saftpresse command implements a non-blocking log anaylser with
> plugins. It is designed with output to elasticsearch and graphit in
> mind.
>
> The Postfix plugin included is based on the pflogsumm code but heavy
> refactured and modularized.
>
> There currently no packages, but i plan to provide debian packages
> and 
> a docker image for non-debian users.

I released 1.3 with some minor improvements and build debian/jessie
packages for it. To install the packages use:

$ apt-get install -y apt-transport-https
$ curl https://markusbenning.de/debian/repo.gpg.key | apt-key add -
$ curl -o /etc/apt/sources.list.d/markusbenning.list \
     "https://markusbenning.de/debian/markusbenning.list"
$ apt-get update
$ apt-get install -y saftpresse


Markus
Reply | Threaded
Open this post in threaded view
|

Re: TLS Logging per MsgId

Quanah Gibson-Mount-3
--On Wednesday, January 06, 2016 11:58 PM +0100 Markus Benning
<[hidden email]> wrote:

> Am Montag, den 04.01.2016, 20:40 +0100 schrieb Markus Benning:
>> My log analyser "saftpresse" implements this:
>>
>> https://metacpan.org/release/Log-Saftpresse
>>
>> Theres a commandline interface "saftsumm" which tries to provide the
>> classic pflogsumm inteface.
>> Try '--tls-stats'
>>
>> The saftpresse command implements a non-blocking log anaylser with
>> plugins. It is designed with output to elasticsearch and graphit in
>> mind.
>>
>> The Postfix plugin included is based on the pflogsumm code but heavy
>> refactured and modularized.

Hi Markus,

This sounds pretty cool.  Does it take care of the issue of handling
logging when multiple milters etc are in place?

--Quanah



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration