Hi!
I try to log all SMTP AUTH sessions which do not send mail actually.
Therefore I mark if a session reaches DATA with
acl_smtp_data:
warn set acl_c_datareached = yes
For "acl_smtp_noquit" I use
logwrite = H=$sender_fullhost NOQUIT port=$interface_port\
${if ! eq{$tls_in_cipher}{} { X=$tls_in_cipher}}\
${if and {\
{! def:$acl_c_datareached}\
{! eq{$authenticated_id}{}}\
} { A=$sender_host_authenticated:$authenticated_id}}
In acl_smtp_quit I use the same with s/NOQUIT/OKQUIT/.
Since we only allow SMTP AUTH after STARTTLS or on legacy SMTPS/465 I wondered
why I end up with loglines with missing X=<cipher> Tag?
I tcpdump'ed one host with missing cipher. The handshake shows
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
At the end I see an "Encrypted Alert" packet and finally a RST,ACK packet.
Does this tear down the TLS connection in way that Exim clears $tls_in_cipher
again?
Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> |
http://www.blafasel.at/
Vienna University Computer Center | Austria
