UnTrusted CN presented

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Mal
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

UnTrusted CN presented

Mal
Wondering if anyone knows if it's possible to log the certificate CN presented when Postfix logs "Untrusted TLS connection established from.."

Postifx logs the 'UnTrusted' event well, but I'd like to know if you can see the CN of the certificate presented by the other party..

Regards,
Mal



Mal.asc (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: UnTrusted CN presented

Viktor Dukhovni

> On Jul 12, 2017, at 10:46 PM, Mal <[hidden email]> wrote:
>
> Wondering if anyone knows if it's possible to log the certificate CN presented when Postfix logs "Untrusted TLS connection established from.."

That is not currently possible.  Unconditional logging of the peer certificate
metadata is possible, but the interface is not documented, because a more flexible
logging interface is needed in the long term, and just cluttering the current logging
interface with more features that have to be supported long-term is not a good idea,
if we want to overhaul how logging works in the future.

I am somewhat surprised you say "...established from..." since that would the SMTP
server, and the connection would be from an SMTP client, and these very rarely have
TLS certificates to present (and most servers do not request client certificates).

--
        Viktor.
Mal
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: UnTrusted CN presented

Mal

I see..

Would you be able to let me know how to enable the undocumented peer
metadata logfile ?  If its a seperate logfile, that won't be an issue.
I would like to see if that provides the data i am after.

In this case, these "...established from..." entries are the remote
party servers.  Was that not clear ?

Mal



On 13/07/2017 2:46 PM, Viktor Dukhovni wrote:

>
>> On Jul 12, 2017, at 10:46 PM, Mal <[hidden email]> wrote:
>>
>> Wondering if anyone knows if it's possible to log the certificate CN presented when Postfix logs "Untrusted TLS connection established from.."
>
> That is not currently possible.  Unconditional logging of the peer certificate
> metadata is possible, but the interface is not documented, because a more flexible
> logging interface is needed in the long term, and just cluttering the current logging
> interface with more features that have to be supported long-term is not a good idea,
> if we want to overhaul how logging works in the future.
>
> I am somewhat surprised you say "...established from..." since that would the SMTP
> server, and the connection would be from an SMTP client, and these very rarely have
> TLS certificates to present (and most servers do not request client certificates).
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: UnTrusted CN presented

Viktor Dukhovni
On Thu, Jul 13, 2017 at 09:01:40PM +0930, Mal wrote:

> Would you be able to let me know how to enable the undocumented peer
> metadata logfile?

Not logfile, rather an additional log entry sent to the syslog mail
log.

> In this case, these "...established from..." entries are the remote
> party servers.  Was that not clear ?

What was not clear is whether you're trying to log:

    (1). The CNs of certificates of remote SMTP clients from which
    your server is *receiving* mail, or

    (2). The CNs of certificates of remote SMTP servers to which
    your server is sending email.


The "...established from..." context suggests (2), but in that case
there are generally no certificates to log.  Have you configured
your server to request client certificates?  Why?  Is this a
submission service?

What version of Postfix are you using?

--
        Viktor.
Loading...