[Dovecot] Requiring STARTTLS only on some networks

Phil Howard ttiphil at gmail.com
Fri May 7 18:29:14 EEST 2010


On Fri, May 7, 2010 at 11:07, Pascal Volk <
user+dovecot at localhost.localdomain.org<user%2Bdovecot at localhost.localdomain.org>
> wrote:

> On 05/07/2010 04:35 PM Phil Howard wrote:
>
> > Do you know if the remote address gets passed from Postfix on to Dovecot
> > through the authentication connection (when Dovecot is doing the
> > authentication for Postfix mail submission) so that these same remote
> rules
> > apply?
>
> Hm, doesn't look so, as if Postfix would forward this info (remote host)
> to Dovecot. Even when I connect from a 'disable_plaintext_auth = no
> network' to Postfix (2.6.5), Postfix offers:
> 250-STARTTLS
> 250-AUTH DIGEST-MD5 CRAM-MD5
>
> But the SSL/TLS state should be forwarded from Postfix to Dovecot:
> http://www.mail-archive.com/postfix-users@postfix.org/msg10590.html
>

Then I guess I will need to still run a separate always-SSL/TLS submission
port (e.g. 587).  I can easily restrict which ports can be reached by which
address ranges on the firewall.  But I can't (on the firewall) force use of
STARTTLS (which http://wiki.dovecot.org/SSL seems to be encouraging the use
of).

At least with IMAP and POP I can just use the one port (each ... 143 and
110) and force STARTTLS on untrusted addresses.


More information about the dovecot mailing list