On Fri, May 7, 2010 at 11:07, Pascal Volk < user+dovecot@localhost.localdomain.orguser%2Bdovecot@localhost.localdomain.org
wrote:
On 05/07/2010 04:35 PM Phil Howard wrote:
Do you know if the remote address gets passed from Postfix on to Dovecot through the authentication connection (when Dovecot is doing the authentication for Postfix mail submission) so that these same remote rules apply?
Hm, doesn't look so, as if Postfix would forward this info (remote host) to Dovecot. Even when I connect from a 'disable_plaintext_auth = no network' to Postfix (2.6.5), Postfix offers: 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5
But the SSL/TLS state should be forwarded from Postfix to Dovecot: http://www.mail-archive.com/postfix-users@postfix.org/msg10590.html
Then I guess I will need to still run a separate always-SSL/TLS submission port (e.g. 587). I can easily restrict which ports can be reached by which address ranges on the firewall. But I can't (on the firewall) force use of STARTTLS (which http://wiki.dovecot.org/SSL seems to be encouraging the use of).
At least with IMAP and POP I can just use the one port (each ... 143 and 110) and force STARTTLS on untrusted addresses.