controlling STARTTLS by IP address
KSB
listeem at ksb.id.lv
Fri Jul 15 06:57:26 UTC 2016
On 2016.07.15. 2:07, M. Balridge wrote:
>
> I just thought to remind people that with some firewalls, there's always a way
> to perform "silent" redirections using the DNAT target in the PREROUTING
> table, i.e.,:
>
> -t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110 \
> --syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT}
>
> If you're using a Linux iptables firewall, you wouldn't need to expose the
> different port to the client, but would make use of the NAT subsystem to
> redirect the connection from certain IP#s->POP3 to the service port where
> you've denied TLS.
>
> No client would need to be made aware of the "secret" ${NOTLSPOP3PORT}, and in
> fact, the firewall would continue to DROP packets sent to it from elsewhere if
> you have a default-deny policy in effect.
>
> =R=
>
If you're just changing port, better use REDIRECT target.
--
KSb
More information about the dovecot
mailing list