[Dovecot] Requiring STARTTLS only on some networks
Phil Howard
ttiphil at gmail.com
Fri May 7 18:29:14 EEST 2010
On Fri, May 7, 2010 at 11:07, Pascal Volk <
user+dovecot at localhost.localdomain.org<user%2Bdovecot at localhost.localdomain.org>
> wrote:
> On 05/07/2010 04:35 PM Phil Howard wrote:
>
> > Do you know if the remote address gets passed from Postfix on to Dovecot
> > through the authentication connection (when Dovecot is doing the
> > authentication for Postfix mail submission) so that these same remote
> rules
> > apply?
>
> Hm, doesn't look so, as if Postfix would forward this info (remote host)
> to Dovecot. Even when I connect from a 'disable_plaintext_auth = no
> network' to Postfix (2.6.5), Postfix offers:
> 250-STARTTLS
> 250-AUTH DIGEST-MD5 CRAM-MD5
>
> But the SSL/TLS state should be forwarded from Postfix to Dovecot:
> http://www.mail-archive.com/postfix-users@postfix.org/msg10590.html
>
Then I guess I will need to still run a separate always-SSL/TLS submission
port (e.g. 587). I can easily restrict which ports can be reached by which
address ranges on the firewall. But I can't (on the firewall) force use of
STARTTLS (which http://wiki.dovecot.org/SSL seems to be encouraging the use
of).
At least with IMAP and POP I can just use the one port (each ... 143 and
110) and force STARTTLS on untrusted addresses.
More information about the dovecot
mailing list