Timo Sirainen wrote:
It'd have to remove "STARTTLS" from CAPABILITY response. No idea if it's actually capable of doing that.
No, ipchains isn't smart enough (I wasn't paying attention, DUH). It could only be done with a transparent proxy. But just stripping the STARTTLS from the CAPABILITY like this:
--- ./src/imap-login/client.c.orig 2007-01-09 15:03:49.298055528 -0500 +++ ./src/imap-login/client.c 2007-01-09 15:04:06.883739152 -0500 @@ -100,7 +100,7 @@ auths = client_authenticate_get_capabilities(client->common.secured); return t_strconcat(capability_string, (ssl_initialized && !client->common.tls) ? - " STARTTLS" : "", + "" : "", disable_plaintext_auth && !client->common.secured ? " LOGINDISABLED" : "", auths, NULL); }
(watch wrapping) should be sufficient. Of course, if the real issue is that the users are frightened by the unsigned certificate message, he could pony up the $100 for a cert signed by a trusted authority and the clients won't even bleat... John -- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748