[Dovecot] Selective TLS per local IP
We have the requirement to provide SSL on some IP addresses, but not others on our servers.
Providing SSL is the easy part and we're able to use multiple SSL certificates now. (thanks Timo!)
All is working ok, but we several IP hosts that do not require SSL and do not have valid certificates.
While we can limit access via a firewall ACL to TLS connect ports (993/995) we can't do so on port 110/143. The problem is that some clients now are smart enough to look for an offered STARTTLS or STLS, and if it's offered, they try to use it. While not normally a problem if your setup for SSL with valid key/certs, if you have a self signed or no CERT at all, it starts connection warnings and errors on the client side.
So is there any way possible to turn off advertising of TLS on port or turn it off/on per IP?
Something like:
ssl = yes ssl_cert =
local 10.1.1.1 { protocol imap { ssl_cert =
local 10.1.1.2 { ssl = no }
*or*
ssl = no
local 10.1.1.1 { ssl = yes protocol imap { ssl_cert =
-- Robert Blayzor INOC, LLC rblayzor@inoc.net http://www.inoc.net/~rblayzor/
On 17.7.2012, at 1.35, Robert Blayzor wrote:
So is there any way possible to turn off advertising of TLS on port or turn it off/on per IP?
Something like:
If those work, then yes. If they don't, then no. I'd think they would work.
ssl = yes ssl_cert =
local 10.1.1.1 { protocol imap { ssl_cert =
local 10.1.1.2 { ssl = no }
*or*
ssl = no
local 10.1.1.1 { ssl = yes protocol imap { ssl_cert =
-- Robert Blayzor INOC, LLC rblayzor@inoc.net http://www.inoc.net/~rblayzor/
On Jul 17, 2012, at 6:59 AM, Timo Sirainen wrote:
On 17.7.2012, at 1.35, Robert Blayzor wrote:
So is there any way possible to turn off advertising of TLS on port or turn it off/on per IP?
Something like:
If those work, then yes. If they don't, then no. I'd think they would work.
No, they do not. It would be nice if it did. Or at least some way to disable TLS offering/advertisement if disabling the SSL socket is not possible.
-- Robert Blayzor INOC, LLC rblayzor@inoc.net http://www.inoc.net/~rblayzor/
On 17.7.2012, at 15.20, Robert Blayzor wrote:
On Jul 17, 2012, at 6:59 AM, Timo Sirainen wrote:
On 17.7.2012, at 1.35, Robert Blayzor wrote:
So is there any way possible to turn off advertising of TLS on port or turn it off/on per IP?
Something like:
If those work, then yes. If they don't, then no. I'd think they would work.
No, they do not. It would be nice if it did. Or at least some way to disable TLS offering/advertisement if disabling the SSL socket is not possible.
On Jul 17, 2012, at 8:28 AM, Timo Sirainen wrote:
No, they do not. It would be nice if it did. Or at least some way to disable TLS offering/advertisement if disabling the SSL socket is not possible.
Works perfectly, thanks!
-- Robert Blayzor INOC, LLC rblayzor@inoc.net http://www.inoc.net/~rblayzor/
participants (2)
-
Robert Blayzor
-
Timo Sirainen