But just stripping the STARTTLS from the CAPABILITY like this:
...
(watch wrapping) should be sufficient.
Of course, if the real issue is that the users are frightened by the unsigned certificate message, he could pony up the $100 for a cert signed by a trusted authority and the clients won't even bleat...
Thanks much for the feedback John & Timo. I hope you do add ssl_disable_tls as an option in v 2.0 Timo. That's be great.
Our users run a wide variety of clients, so it'd be difficult to confirm that we wouldn't affect someone with the TLS capability, even with a trusted authority. Changing source is an option, true. The other option is sslwrap, which we use with UofW. We could disable ssl on Dovecot and use sslwrap for 993. I just wanted to use Timo's code where possible.
Jackie
Jackie Hunt
ACNS Voice: (970) 663-3789
Colorado State University FAX: (970) 491-1958
Fort Collins, CO 80523 Email: jackie.hunt@colostate.edu