controlling STARTTLS by IP address
Jochen Bern
Jochen.Bern at LINworks.de
Fri Jul 15 07:45:58 UTC 2016
On 07/14/2016 11:52 PM, Michael Fox wrote:
>> Seems like your firewall could redirect to a different port that doesn't
>> offer starttls.
> Yes, of course. But that would require multiple ports, making the client
> configuration cumbersome and error-prone.
No, the multiple ports would be on the *server* side, and "the firewall"
(which could be iptables on the server itself) would DNAT the ever-same
*client* side ports based on the clients' IPs.
Speaking of simplifying client configuration: Please note that STARTTLS
and "must be plaintext" aren't mutually exclusive:
$ openssl ciphers 'NULL:eNULL:!ECDH:!DH'
NULL-SHA256:NULL-SHA:NULL-MD5
https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES
If you can get dovecot to use a different "ssl_cipher_list" per client
subnet, instead of changing "ssl", you could keep all clients that
support those ciphers configured so as to *require* STARTTLS.
Regards,
Jochen Bern
Systemingenieur
--
LINworks GmbH
Fon: +49 6151 9067-231
Fax: +49 6151 9067-299
E-Mail: Jochen.Bern at LINworks.de
Web: http://www.LINworks.de/
NEC IT Infrastrukturprodukte vom Deutschland Distributor
Server, Storage, Virtualisierung, Management Software
Shop: http://www.NEC-Store.de/
Briefanschrift: Postfach 10 01 21 · 64201 Darmstadt · DE
Hausanschrift: Robert-Koch-Straße 9 · 64331 Weiterstadt · DE
Geschäftsführer: Metin Dogan, Nils Manegold, Oliver Michel
Unternehmenssitz: Weiterstadt
Register: Amtsgericht Darmstadt, HRB 85202
MAX21-Unternehmensgruppe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1850 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20160715/6c98f98f/attachment-0001.p7s>
More information about the dovecot
mailing list