On Mon, Jun 16, 2014 at 07:58:25AM +0100, Jeremy Harris wrote:
> ... is noisy in mainlog. It has been forever, I think;
> the code line has always (in git terms) been there.
> Perhaps it's only the growth in use of certificates.
> You get blocks like:
Possible model approach:
Postfix only logs certificate verification errors when it cares
about the result or when TLS logging is substantially verbose
(we have a tls_loglevel ranging from 0 to 4).
http://www.postifx.org/postconf.5.html#smtp_tls_loglevel
With opportunistic TLS verification errors are not logged at
the recommended log level of 1.
Secondly, when not verbose, verification errors are not reported
in the verify callback itself. Rather, a single (the "most
serious") error observed is reported at the completion of the
handshake. An error is more serious if its depth is closer to
the leaf certificate, for errors at the same depth, the first
one reported is used. This in practice tends to report the
most relevant problem and not pollute the logs with multiple
errors for the same chain.
--
Viktor.
