controlling STARTTLS by IP address

Edgar Pettijohn edgar at pettijohn-web.com
Thu Jul 14 23:44:21 UTC 2016


On 16-07-14 16:07:53, M. Balridge wrote:
> Quoting Michael Fox <news at mefox.org>:
> 
> > > Seems like your firewall could redirect to a different port that doesn't
> > > offer starttls.
> > 
> > Yes, of course.  But that would require multiple ports, making the client
> > configuration cumbersome and error-prone.
> 
> It looks like there's an internal Dovecot solution, so all's well. 
> 
> I just thought to remind people that with some firewalls, there's always a way
> to perform "silent" redirections using the DNAT target in the PREROUTING
> table, i.e.,:
> 
> -t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110 \
>  --syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT}
>

That is basically what I meant without enough detail I guess.  

 
> If you're using a Linux iptables firewall, you wouldn't need to expose the
> different port to the client, but would make use of the NAT subsystem to
> redirect the connection from certain IP#s->POP3 to the service port where
> you've denied TLS.
> 
> No client would need to be made aware of the "secret" ${NOTLSPOP3PORT}, and in
> fact, the firewall would continue to DROP packets sent to it from elsewhere if
> you have a default-deny policy in effect.
> 
> =R=

-- 
Edgar Pettijohn


More information about the dovecot mailing list