[Dovecot] Selective TLS per local IP

Robert Blayzor rblayzor.bulk at inoc.net
Tue Jul 17 01:35:06 EEST 2012


We have the requirement to provide SSL on some IP addresses, but not others on our servers.

Providing SSL is the easy part and we're able to use multiple SSL certificates now.  (thanks Timo!)

All is working ok, but we several IP hosts that do not require SSL and do not have valid certificates.

While we can limit access via a firewall ACL to TLS connect ports (993/995) we can't do so on port 110/143.  The problem is that some clients now are smart enough to look for an offered STARTTLS or STLS, and if it's offered, they try to use it.  While not normally a problem if your setup for SSL with valid key/certs, if you have a self signed or no CERT at all, it starts connection warnings and errors on the client side.

So is there any way possible to turn off advertising of TLS on port or turn it off/on per IP?


Something like:

ssl = yes
ssl_cert = </etc/ssl/cert/default.pem
ssl_key  = </etc/ssl/cert/default.pem

local 10.1.1.1 {
  protocol imap {
     ssl_cert = </etc/ssl/cert/site1.pem
     ssl_key  = </etc/ssl/cert/site1.pem
   }
   protocol pop3 {
     ssl_cert = </etc/ssl/cert/site1.pem
     ssl_key  = </etc/ssl/cert/site1.pem
   }
}

local 10.1.1.2 {
  ssl = no
}



*or*

ssl = no

local 10.1.1.1 {
  ssl = yes
  protocol imap {
     ssl_cert = </etc/ssl/cert/site1.pem
     ssl_key  = </etc/ssl/cert/site1.pem
   }
   protocol pop3 {
     ssl_cert = </etc/ssl/cert/site1.pem
     ssl_key  = </etc/ssl/cert/site1.pem
   }
}


-- 
Robert Blayzor
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/






More information about the dovecot mailing list