[Postfixbuch-users] policy delegation: trotz postfix 2.2.11 keine ccert_* Werte

[Jan P. Kessler]

Hallo Liste,

ich habe mir mal das Thema policy delegation angeschaut und dazu das 
Beispiel aus examples/smtpd-policy/greylist.pl verwendet. Irrtiert hat 
mich dabei, dass offenbar die ccert_* Werte nicht übergeben werden:

Nov 24 17:00:23 mail postfix/smtpd[6953]: connect from 
ilpostino.jpberlin.BLA[213.203.238.6]
Nov 24 17:00:23 mail postfix/smtpd[6953]: setting up TLS connection from 
ilpostino.jpberlin.BLA[213.203.238.6]
Nov 24 17:00:24 mail postfix/smtpd[6953]: certificate verification 
failed for ilpostino.jpberlin.BLA: num=19:self signed certificate in 
certificate chain
Nov 24 17:00:24 mail postfix/smtpd[6953]: 
fingerprint=75:D8:A1:1D:96:A9:A4:1B:BA:95:A2:45:A6:E1:63:50
Nov 24 17:00:24 mail postfix/smtpd[6953]: Unverified: subject_CN=, 
issuer=ilpostino.jpberlin.BLA
Nov 24 17:00:24 mail postfix/smtpd[6953]: TLS connection established 
from ilpostino.jpberlin.BLA[213.203.238.6]: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits)
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: protocol_state=RCPT
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: 
request=smtpd_access_policy
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: ccert_fingerprint=
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: 
recipient=postfix at jpkessler.BLA
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: instance=1b29.45671718.0
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: size=3392
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: protocol_name=ESMTP
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: ccert_issuer=
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: 
helo_name=ilpostino.jpberlin.BLA
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: 
sender=postfixbuch-users-bounces at listi.jpberlin.BLA
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: queue_id=
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: 
client_address=213.203.238.6
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: 
client_name=ilpostino.jpberlin.BLA
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: etrn_domain=
Nov 24 17:00:24 mail test-policyd[6954]: Attribute: ccert_subject=
Nov 24 17:00:24 mail test-policyd[6954]: Action: dunno
Nov 24 17:00:24 mail postfix/smtpd[6953]: 1BEBF803A: 
client=ilpostino.jpberlin.BLA[213.203.238.6]
Nov 24 17:00:24 mail postfix/cleanup[6955]: 1BEBF803A: 
message-id=<02ae01c70fe1$9ee51520$2300a8c0 at twostepsone>
Nov 24 17:00:24 mail postfix/qmgr[6907]: 1BEBF803A: 
from=<postfixbuch-users-bounces at listi.jpberlin.BLA>, size=3722, nrcpt=1 
(queue active)
Nov 24 17:00:24 mail postfix/smtpd[6953]: disconnect from 
ilpostino.jpberlin.BLA[213.203.238.6]
Nov 24 17:00:24 mail postfix/smtp[6956]: 1BEBF803A: 
to=<postfix at jpkessler.BLA>, relay=gw1.jpkessler.de[192.168.1.1], 
delay=0, status=sent (250 Ok: queued as 265165D4001)
Nov 24 17:00:24 mail postfix/qmgr[6907]: 1BEBF803A: removed

# 1 jobs, root at mail.jpkessler.BLA:/etc/postfix # postconf |grep -i 
mail_version
mail_version = 2.2.11

Sollten die Werte laut 
http://www.postfix.org/SMTPD_POLICY_README.html#protocol nicht 
übermittelt werden? Am Aufruf via smtpd_recipient_restrictions kann es 
doch eigentlich nicht liegen - die TLS Parameter sind zu diesem 
Zeitpunkt ja längst bekannt, oder?

Nu erst mal Details:

master.cf:
----------
# policy daemon
policy  unix  -       n       n       -       -       spawn
  user=nobody argv=/usr/bin/perl /usr/local/postfix/sbin/test-policyd.pl -v

main.cf
--------
# Restriction Classes
smtpd_restriction_classes       = [...], policycheck
#
[...]
policycheck                  = check_policy_service unix:private/policy
#
smtpd_recipient_restrictions    = permit_mynetworks,
                                  reject_unauth_destination,
                                  [...],
                                  check_recipient_access 
btree:/etc/postfix/POLICYCHECK

/etc/postfix/POLICYCHECK:
-------------------------------
postfix at jpkessler.BLA  policycheck

Der input-loop aus dem Beispiel ist natürlich unverändert und die Regex 
passt ja auch:

while (<STDIN>) {
    if (/([^=]+)=(.*)\n/) {
        $attr{substr($1, 0, 512)} = substr($2, 0, 512);
    } elsif ($_ eq "\n") {
        if ($verbose) {
            for (keys %attr) {
                syslog $syslog_priority, "Attribute: %s=%s", $_, $attr{$_};
            }
  [...]

Gruß, Jan