Alexei Batyr writes:
Sam Varshavchik wrote on 02.04.2013 3:17: > Alexei Yu. Batyr' writes: > >> Sam Varshavchik wrote on 31.03.2013 8:02: >>> ... >>> * Changed error handling when sending mail to mail servers that >>> advertise that they can support encrypted SMTP, but fail to open an >>> encrypted connection once Courier takes up their offer. Removed the >>> /SECURITY=NONE option from esmtproutes. When sending mail to a >>> server >>> that advertises STARTTLS, but either subsequently rejects the >>> STARTTLS >>> request with an error message, or by dropping the connection, the >>> mail >>> is requeued, and the server's name is logged. Subsequent connection >>> attempts to the same server, to resend this message or send any >>> other >>> message, will ignore the server's STARTTLS capability. This is >>> logged >>> in a rotating log file, that's erased after 2-4 hours, at which time >>> the next connection attempt will once again attempt to use STARTTLS, >>> and see what happens. >>> >>> * /SECURITY=REQUIRED replaces /SECURITY=NONE. If set, in >>> esmtproutes, >>> mail will not be sent to this mail server, without STARTTLS. Note, >>> though, that this doesn't mean much, unless ESMTP_TLS_VERIFY_DOMAIN >>> is >>> set to 1 in courierd (together with the additional variables that >>> are >>> documented there), which will require remote mail servers to use >>> valid >>> certificates signed by a trusted CA root. >>> >> So, from this version on, I cannot maintain my STARTTLS-free SMTP >> infrastructure (only explicit SSL on dedicated port). Would it be >> possible to add some configure script parameter, e.g. >> --smtp-starttls-disable, which will act as ": /SECURITY=NONE" in >> esmtproutes and remove STARTTLS advertizing from ESMTP greeting >> (250-XSECURITY=NONE instead of 250-XSECURITY=NONE,STARTTLS)? Or at >> least >> leave /SECURITY=NONE as it was? > > Not exactly sure what you're looking for, but to disable TLS > completely, you just need to remove the couriertls > binary. This will prevent Courier from sending mail using STARTTLS, > without having to diddle with esmtproutes, > and will prevent Courier's esmtpd server from advertising STARTTLS. > This is true now.Removing couriertls will also disable STARTTLS for IMAP and POP, won't it? I'd like to do it only for SMTP service.
Try removing the COURIERTLS setting only from the courierd configuration file. That should disable TLS for outgoing mail.
For incoming mail, remove the COURIERTLS setting from the esmtpd and esmtpd- ssl configuration files.
And the best part of this – you can change your mind at any time, without recompiling.
But, I don't really see the point to this. The latest approach should be far more tolerant of problems with bad servers choking on TLS; and there's no downside to using encryption, these days. Modern hardware is fast enough, the limiting factor is usually bandwidth.
pgpcH0_SFVwVv.pgp
Description: PGP signature
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
