controlling STARTTLS by IP address
M. Balridge
dovecot at r.paypc.com
Thu Jul 14 23:07:53 UTC 2016
Quoting Michael Fox <news at mefox.org>:
> > Seems like your firewall could redirect to a different port that doesn't
> > offer starttls.
>
> Yes, of course. But that would require multiple ports, making the client
> configuration cumbersome and error-prone.
It looks like there's an internal Dovecot solution, so all's well.
I just thought to remind people that with some firewalls, there's always a way
to perform "silent" redirections using the DNAT target in the PREROUTING
table, i.e.,:
-t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110 \
--syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT}
If you're using a Linux iptables firewall, you wouldn't need to expose the
different port to the client, but would make use of the NAT subsystem to
redirect the connection from certain IP#s->POP3 to the service port where
you've denied TLS.
No client would need to be made aware of the "secret" ${NOTLSPOP3PORT}, and in
fact, the firewall would continue to DROP packets sent to it from elsewhere if
you have a default-deny policy in effect.
=R=
More information about the dovecot
mailing list