We have the requirement to provide SSL on some IP addresses, but not others on our servers.
Providing SSL is the easy part and we're able to use multiple SSL certificates now. (thanks Timo!)
All is working ok, but we several IP hosts that do not require SSL and do not have valid certificates.
While we can limit access via a firewall ACL to TLS connect ports (993/995) we can't do so on port 110/143. The problem is that some clients now are smart enough to look for an offered STARTTLS or STLS, and if it's offered, they try to use it. While not normally a problem if your setup for SSL with valid key/certs, if you have a self signed or no CERT at all, it starts connection warnings and errors on the client side.
So is there any way possible to turn off advertising of TLS on port or turn it off/on per IP?
Something like:
ssl = yes ssl_cert =
local 10.1.1.1 { protocol imap { ssl_cert =
local 10.1.1.2 { ssl = no }
*or*
ssl = no
local 10.1.1.1 { ssl = yes protocol imap { ssl_cert =
-- Robert Blayzor INOC, LLC rblayzor@inoc.net http://www.inoc.net/~rblayzor/