Quoting Michael Fox news@mefox.org:
Seems like your firewall could redirect to a different port that doesn't offer starttls.
Yes, of course. But that would require multiple ports, making the client configuration cumbersome and error-prone.
It looks like there's an internal Dovecot solution, so all's well.
I just thought to remind people that with some firewalls, there's always a way to perform "silent" redirections using the DNAT target in the PREROUTING table, i.e.,:
-t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110
--syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT}
If you're using a Linux iptables firewall, you wouldn't need to expose the different port to the client, but would make use of the NAT subsystem to redirect the connection from certain IP#s->POP3 to the service port where you've denied TLS.
No client would need to be made aware of the "secret" ${NOTLSPOP3PORT}, and in fact, the firewall would continue to DROP packets sent to it from elsewhere if you have a default-deny policy in effect.
=R=