-----Original Message----- From: dovecot [mailto:dovecot-bounces@dovecot.org] On Behalf Of Jochen Bern Sent: Friday, July 15, 2016 12:46 AM To: dovecot@dovecot.org Subject: Re: RE: controlling STARTTLS by IP address
On 07/14/2016 11:52 PM, Michael Fox wrote:
Seems like your firewall could redirect to a different port that doesn't offer starttls. Yes, of course. But that would require multiple ports, making the client configuration cumbersome and error-prone.
No, the multiple ports would be on the *server* side, and "the firewall" (which could be iptables on the server itself) would DNAT the ever-same *client* side ports based on the clients' IPs.
Speaking of simplifying client configuration: Please note that STARTTLS and "must be plaintext" aren't mutually exclusive:
$ openssl ciphers 'NULL:eNULL:!ECDH:!DH' NULL-SHA256:NULL-SHA:NULL-MD5
https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES
If you can get dovecot to use a different "ssl_cipher_list" per client subnet, instead of changing "ssl", you could keep all clients that support those ciphers configured so as to *require* STARTTLS.
Regards,
Jochen Bern Systemingenieur
Hmmm. Interesting. I hadn't thought along those lines. Something to investigate.
Michael