Extract TLS requiretls feature data from 'postfix_tls'

whyscream · whyscream · commit 7b4ceb526234 · 2025-11-29T17:38:37.000+01:00
Also switch to named captures when possible
diff --git a/50-filter-postfix.conf b/50-filter-postfix.conf
@@ -299,7 +299,10 @@ filter {
         ]
         gsub => [
             # rewrite some extracted values
-            "postfix_tls_policy_undecided", "\?", "true"
+            "postfix_tls_policy_undecided", "\?", "true",
+            "postfix_tls_requiretls_undecided", "\?", "true",
+            "postfix_tls_requiretls_policy_violation", "\!", "true",
+            "postfix_tls_requiretls", "requiretls", "true"
         ]
     }
 }
diff --git a/postfix.grok b/postfix.grok
@@ -122,8 +122,8 @@ POSTFIX_VERIFY_CACHE cache %{DATA} (?<postfix_verify_cleanup_type>(full|partial)
 POSTFIX_LOCAL_DELIVERY %{POSTFIX_KEYVALUE} status=%{STATUS_WORD:postfix_status}( \(%{GREEDYDATA:postfix_local_response}\))?
 
 # TLS features
-POSTFIX_TLS_POLICY_UNDECIDED \?
-POSTFIX_TLS_FEATURES %{STATUS_WORD:postfix_tls_security_level}(:%{STATUS_WORD:postfix_tls_downgrade_level})?(%{POSTFIX_TLS_POLICY_UNDECIDED:postfix_tls_policy_undecided})?
+POSTFIX_TLS_FEAT_REQUIRETLS (?<postfix_tls_requiretls_policy_violation>\!)?(?<postfix_tls_requiretls>requiretls)(:%{STATUS_WORD:postfix_tls_requiretls_downgrade_level})?(?<postfix_tls_requiretls_undecided>\?)?
+POSTFIX_TLS_FEATURES %{STATUS_WORD:postfix_tls_security_level}(:%{STATUS_WORD:postfix_tls_downgrade_level})?(?<postfix_tls_policy_undecided>\?)?(/%{POSTFIX_TLS_FEAT_REQUIRETLS})?
 
 # aggregate all patterns
 POSTFIX_SMTPD %{POSTFIX_SMTPD_CONNECT}|%{POSTFIX_SMTPD_DISCONNECT}|%{POSTFIX_SMTPD_LOSTCONN}|%{POSTFIX_SMTPD_NOQUEUE}|%{POSTFIX_SMTPD_PIPELINING}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_SMTPD_PROXY}|%{POSTFIX_KEYVALUE}
diff --git a/test/tls_features_0010.yaml b/test/tls_features_0010.yaml
@@ -0,0 +1,5 @@
+pattern: "^%{POSTFIX_TLS_FEATURES}$"
+data: "dane/requiretls"
+results:
+    postfix_tls_security_level: dane
+    postfix_tls_requiretls: requiretls
diff --git a/test/tls_features_0011.yaml b/test/tls_features_0011.yaml
@@ -0,0 +1,6 @@
+pattern: "^%{POSTFIX_TLS_FEATURES}$"
+data: "dane/requiretls?"
+results:
+    postfix_tls_security_level: dane
+    postfix_tls_requiretls: requiretls
+    postfix_tls_requiretls_undecided: "?"
diff --git a/test/tls_features_0012.yaml b/test/tls_features_0012.yaml
@@ -0,0 +1,7 @@
+pattern: "^%{POSTFIX_TLS_FEATURES}$"
+data: "dane/!requiretls:nostarttls"
+results:
+    postfix_tls_security_level: dane
+    postfix_tls_requiretls: requiretls
+    postfix_tls_requiretls_policy_violation: "!"
+    postfix_tls_requiretls_downgrade_level: nostarttls
diff --git a/test_pipeline.sh b/test_pipeline.sh
@@ -23,7 +23,7 @@ perform_cleanup() {
 trap perform_cleanup INT TERM
 
 echo Preparing input data
-echo "postfix/smtp[123]: 7EE668039: to=<admin@example.com>, relay=127.0.0.1[127.0.0.1]:2525, delay=3.6, delays=0.2/0.02/0.04/3.3, dsn=2.0.0, tls=dane?, status=sent (250 2.0.0 Ok: queued as 153053D)" > "$INPUT"
+echo "postfix/smtp[123]: 7EE668039: to=<admin@example.com>, relay=127.0.0.1[127.0.0.1]:2525, delay=3.6, delays=0.2/0.02/0.04/3.3, dsn=2.0.0, tls=dane/!requiretls:nostarttls, status=sent (250 2.0.0 Ok: queued as 153053D)" > "$INPUT"
 
 echo Preparing pipeline config
 cat > "$PIPELINE" << EOF

Original file line number	Diff line number	Diff line change
`@@ -299,7 +299,10 @@ filter {`
`299`	`299`	`]`
`300`	`300`	`gsub => [`
`301`	`301`	`# rewrite some extracted values`
`302`		`- "postfix_tls_policy_undecided", "\?", "true"`
	`302`	`+ "postfix_tls_policy_undecided", "\?", "true",`
	`303`	`+ "postfix_tls_requiretls_undecided", "\?", "true",`
	`304`	`+ "postfix_tls_requiretls_policy_violation", "\!", "true",`
	`305`	`+ "postfix_tls_requiretls", "requiretls", "true"`
`303`	`306`	`]`
`304`	`307`	`}`
`305`	`308`	`}`