controlling STARTTLS by IP address
Aki Tuomi
aki.tuomi at dovecot.fi
Thu Jul 14 21:26:30 UTC 2016
On 15.07.2016 00:13, Edgar Pettijohn wrote:
>
> Sent from my iPhone
>
>> On Jul 14, 2016, at 3:56 PM, Michael Fox <news at mefox.org> wrote:
>>
>> On my POP3 server, I need to be able to control the use of STARTTLS by
>> client IP address. Specifically:
>>
>> * Clients on certain internal subnets (e.g., 192.168.1.0/24) must not have
>> the option to use TLS. If the client tries to use STARTTLS, the option
>> should be rejected. This is to satisfy US FCC rules regarding the use of
>> encryption over certain radio frequencies.
>> * All other internal clients (e.g., 192.168.0.0/16, but not 192.168.1.0/24)
>> should be able to use STARTTLS if they choose to.
>> * All external clients (0.0.0.0/0) will be required to use TLS.
>>
>> Is there a way to control which clients are allowed to use STARTTLS
>> according to the client's IP address?
>>
>> Thanks,
>> Michael
>>
>>
>>
> Seems like your firewall could redirect to a different port that doesn't offer starttls.
You could try
remote x.x.x.x/y {
ssl = no
}
Aki
More information about the dovecot
mailing list