You could use something like 'stunnel' to protect arbitrary connections between hosts. Lmtp is normally for connections between services on the same host, so I'm not surprised that Cyrus isn't using tls for it.
Marty Lee Maui Systems Ltd > On 14 Jun 2016, at 10:16, qyb via Cyrus-devel > <cyrus-devel@lists.andrew.cmu.edu> wrote: > > I use "lmtpd -a" listen on a NIC interface and receive lmtp request from a > remote postfix instance. Now preauth works, but mail data was transfered > without encryption. > > I guess the commit your mentioned disabled startssl because the author think > we just need ssl to protect PLAIN Password auth request.. Personally, I think > all mail data should be encrypted in internet transfer. > >> On Tue, Jun 14, 2016 at 9:25 AM, ellie timoney via Cyrus-devel >> <cyrus-devel@lists.andrew.cmu.edu> wrote: >>> On Wed, Jun 1, 2016, at 03:28 AM, qyb via Cyrus-devel wrote: >>> I noticed that cyrus disable TLS on preauth'd connection. >>> >>> Authentication info(plain password...) need TLS protection. And I think >>> that RFC822 text also need TLS. >> >> Can you expand on this a bit? >> >> As far as I understand, connections are only ever preauth'd when they come >> in via UNIX-domain sockets, which are inherently local. What are you trying >> to protect, and from whom? >> >> For what it's worth, it looks like STARTTLS used to work (at least to some >> degree) for preauth'd LMTP, but was explicitly disabled in 2001 by this >> commit: >> https://cgit.cyrus.foundation/cyrus-imapd/commit/?id=b93e6be5b19362f9e295b40ceb81b702d73de6bb >> So I guess you might be able to re-enable it by doing the inverse of that, >> though I'm not really seeing the point? >
