controlling STARTTLS by IP address
Edgar Pettijohn
edgar at pettijohn-web.com
Thu Jul 14 23:44:21 UTC 2016
On 16-07-14 16:07:53, M. Balridge wrote:
> Quoting Michael Fox <news at mefox.org>:
>
> > > Seems like your firewall could redirect to a different port that doesn't
> > > offer starttls.
> >
> > Yes, of course. But that would require multiple ports, making the client
> > configuration cumbersome and error-prone.
>
> It looks like there's an internal Dovecot solution, so all's well.
>
> I just thought to remind people that with some firewalls, there's always a way
> to perform "silent" redirections using the DNAT target in the PREROUTING
> table, i.e.,:
>
> -t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110 \
> --syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT}
>
That is basically what I meant without enough detail I guess.
> If you're using a Linux iptables firewall, you wouldn't need to expose the
> different port to the client, but would make use of the NAT subsystem to
> redirect the connection from certain IP#s->POP3 to the service port where
> you've denied TLS.
>
> No client would need to be made aware of the "secret" ${NOTLSPOP3PORT}, and in
> fact, the firewall would continue to DROP packets sent to it from elsewhere if
> you have a default-deny policy in effect.
>
> =R=
--
Edgar Pettijohn
More information about the dovecot
mailing list