controlling STARTTLS by IP address
Michael Fox
news at mefox.org
Fri Jul 15 08:13:41 UTC 2016
> -----Original Message-----
> From: dovecot [mailto:dovecot-bounces at dovecot.org] On Behalf Of Jochen
> Bern
> Sent: Friday, July 15, 2016 12:46 AM
> To: dovecot at dovecot.org
> Subject: Re: RE: controlling STARTTLS by IP address
>
> On 07/14/2016 11:52 PM, Michael Fox wrote:
> >> Seems like your firewall could redirect to a different port that
> doesn't
> >> offer starttls.
> > Yes, of course. But that would require multiple ports, making the
> client
> > configuration cumbersome and error-prone.
>
> No, the multiple ports would be on the *server* side, and "the firewall"
> (which could be iptables on the server itself) would DNAT the ever-same
> *client* side ports based on the clients' IPs.
>
> Speaking of simplifying client configuration: Please note that STARTTLS
> and "must be plaintext" aren't mutually exclusive:
>
> $ openssl ciphers 'NULL:eNULL:!ECDH:!DH'
> NULL-SHA256:NULL-SHA:NULL-MD5
>
> https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES
>
> If you can get dovecot to use a different "ssl_cipher_list" per client
> subnet, instead of changing "ssl", you could keep all clients that
> support those ciphers configured so as to *require* STARTTLS.
>
> Regards,
>
> Jochen Bern
> Systemingenieur
Hmmm. Interesting. I hadn't thought along those lines. Something to
investigate.
Michael
More information about the dovecot
mailing list