On 2016.07.15. 2:07, M. Balridge wrote:
I just thought to remind people that with some firewalls, there's always a way to perform "silent" redirections using the DNAT target in the PREROUTING table, i.e.,:
-t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110
--syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT}If you're using a Linux iptables firewall, you wouldn't need to expose the different port to the client, but would make use of the NAT subsystem to redirect the connection from certain IP#s->POP3 to the service port where you've denied TLS.
No client would need to be made aware of the "secret" ${NOTLSPOP3PORT}, and in fact, the firewall would continue to DROP packets sent to it from elsewhere if you have a default-deny policy in effect.
=R=
If you're just changing port, better use REDIRECT target.
-- KSb