postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: smtp_tls_note_starttls_offer=yes not working?

Re: smtp_tls_note_starttls_offer=yes not working?

From: Victor Duchovni <Victor.Duchovni_at_nospam>
Date: Mon Oct 18 2010 - 21:30:49 GMT
To: postfix-users@postfix.org

On Mon, Oct 18, 2010 at 02:24:06PM -0700, Yang Zhang wrote:

> According to the docs [1, 2], "smtp_tls_note_starttls_offer=yes"
> should log when a server offers STARTTLS.

Yes, when TLS is offered, but not used, because you have not enabled
opportunistic TLS, or when an opportunistic handshake fails and is
re-tried in plaintext.

        /*
         * Optionally log unused STARTTLS opportunities.
         */
        if ((session->features & SMTP_FEATURE_STARTTLS) &&
            var_smtp_tls_note_starttls_offer &&
            session->tls_level <= TLS_LEV_NONE)
            msg_info("Host offered STARTTLS: [%s]", session->host);

If you have "smtp_tls_security_level = may" or stronger, this
configuration parameter is not terribly useful.

> However, I've been testing
> among my own SMTP servers, and while I can verify that TLS is being
> used (with "smtpd_tls_loglevel=1" on the smtpd side), I can't tell
> what TLS capabilities the smtp (client) is seeing. I'm using Postfix
> 2.7.0.

Don't know what TLS capabilities you have in mind, but "note_tls_offer"
feature is a binary switch to log a missed opportunity to use "STARTTLS",
nothing more.

-- Viktor.