On 07/14/2016 11:52 PM, Michael Fox wrote:
Seems like your firewall could redirect to a different port that doesn't offer starttls. Yes, of course. But that would require multiple ports, making the client configuration cumbersome and error-prone.
No, the multiple ports would be on the *server* side, and "the firewall" (which could be iptables on the server itself) would DNAT the ever-same *client* side ports based on the clients' IPs.
Speaking of simplifying client configuration: Please note that STARTTLS and "must be plaintext" aren't mutually exclusive:
$ openssl ciphers 'NULL:eNULL:!ECDH:!DH' NULL-SHA256:NULL-SHA:NULL-MD5
https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES
If you can get dovecot to use a different "ssl_cipher_list" per client subnet, instead of changing "ssl", you could keep all clients that support those ciphers configured so as to *require* STARTTLS.
Regards,
Jochen Bern Systemingenieur
--
LINworks GmbH
Fon: +49 6151 9067-231 Fax: +49 6151 9067-299 E-Mail: Jochen.Bern@LINworks.de Web: http://www.LINworks.de/
NEC IT Infrastrukturprodukte vom Deutschland Distributor Server, Storage, Virtualisierung, Management Software Shop: http://www.NEC-Store.de/
Briefanschrift: Postfach 10 01 21 · 64201 Darmstadt · DE Hausanschrift: Robert-Koch-Straße 9 · 64331 Weiterstadt · DE Geschäftsführer: Metin Dogan, Nils Manegold, Oliver Michel Unternehmenssitz: Weiterstadt Register: Amtsgericht Darmstadt, HRB 85202
MAX21-Unternehmensgruppe