Sam Varshavchik писал 04.04.2013 2:47: > Alexei Batyr writes: > >> Sam Varshavchik wrote on 02.04.2013 3:17: >>> Alexei Yu. Batyr' writes: >>> >>>> Sam Varshavchik wrote on 31.03.2013 8:02: >>>>> ... >>>>> * Changed error handling when sending mail to mail servers that >>>>> advertise that they can support encrypted SMTP, but fail to open >>>>> an >>>>> encrypted connection once Courier takes up their offer. Removed >>>>> the >>>>> /SECURITY=NONE option from esmtproutes. When sending mail to a >>>>> server >>>>> that advertises STARTTLS, but either subsequently rejects the >>>>> STARTTLS >>>>> request with an error message, or by dropping the connection, the >>>>> mail >>>>> is requeued, and the server's name is logged. Subsequent >>>>> connection >>>>> attempts to the same server, to resend this message or send any >>>>> other >>>>> message, will ignore the server's STARTTLS capability. This is >>>>> logged >>>>> in a rotating log file, that's erased after 2-4 hours, at which >>>>> time >>>>> the next connection attempt will once again attempt to use >>>>> STARTTLS, >>>>> and see what happens. >>>>> >>>>> * /SECURITY=REQUIRED replaces /SECURITY=NONE. If set, in >>>>> esmtproutes, >>>>> mail will not be sent to this mail server, without STARTTLS. Note, >>>>> though, that this doesn't mean much, unless >>>>> ESMTP_TLS_VERIFY_DOMAIN >>>>> is >>>>> set to 1 in courierd (together with the additional variables that >>>>> are >>>>> documented there), which will require remote mail servers to use >>>>> valid >>>>> certificates signed by a trusted CA root. >>>>> >>>> So, from this version on, I cannot maintain my STARTTLS-free SMTP >>>> infrastructure (only explicit SSL on dedicated port). Would it be >>>> possible to add some configure script parameter, e.g. >>>> --smtp-starttls-disable, which will act as ": /SECURITY=NONE" in >>>> esmtproutes and remove STARTTLS advertizing from ESMTP greeting >>>> (250-XSECURITY=NONE instead of 250-XSECURITY=NONE,STARTTLS)? Or at >>>> least >>>> leave /SECURITY=NONE as it was? >>> >>> Not exactly sure what you're looking for, but to disable TLS >>> completely, you just need to remove the couriertls >>> binary. This will prevent Courier from sending mail using STARTTLS, >>> without having to diddle with esmtproutes, >>> and will prevent Courier's esmtpd server from advertising STARTTLS. >>> This is true now. >> >> Removing couriertls will also disable STARTTLS for IMAP and POP, >> won't >> it? I'd like to do it only for SMTP service. > > Try removing the COURIERTLS setting only from the courierd > configuration file. That should disable TLS for outgoing mail. > > For incoming mail, remove the COURIERTLS setting from the esmtpd and > esmtpd- ssl configuration files. > > And the best part of this – you can change your mind at any time, > without recompiling. > > But, I don't really see the point to this. The latest approach should > be far more tolerant of problems with bad servers choking on TLS; and > there's no downside to using encryption, these days. Modern hardware > is fast enough, the limiting factor is usually bandwidth. > Probably you're right - it's time to rethink configuration built many years ago, IIRC exactly to avoid headache with misconfigured Exchange servers and at the same time reduce load to the ancient hardware.
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
