How do I log tls-encrypted smtp traffic?

Johannes Ernst asked:

I’d like to know what my local postfix says to the Amazon SES smtpd after the STARTTLS. In plain text, so I can understand it. Amazon SES requires TLS, so I can’t temporarily turn it off.

I currently log both legs of the traffic with this trick:

mkfifo proxypipe
cat proxypipe | nc -l 11111 | tee -a inflow | nc smtp | tee -a outflow 1>proxypipe

and then I have postfix talk to localhost:11111 instead of This produces a nice transcript, as long as they are talking in clear text. As soon as STARTTLS shows up, everything turns gibberish of course.

Is there some trick I can route this through openssl, or post-process using openssl or something like that, to figure out what exactly they said to each other? Googling has not produced any answer.

My answer:

Don’t bother with sniffing the network connection; as @voretaq7 explained, you can’t. Instead, have postfix log the connection by adding the IP address of the remote SMTP server to debug_peer_list.

And if that doesn’t get you enough detail to understand what’s going on, you can set smtp_tls_loglevel 4 to get a complete dump of everything that went over the wire.

Once you’re done, be sure to change your configuration back. You don’t want to leave debugging on for any longer than absolutely necessary.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.