On 07/14/2016 11:52 PM, Michael Fox wrote: >> Seems like your firewall could redirect to a different port that doesn't >> offer starttls. > Yes, of course. But that would require multiple ports, making the client > configuration cumbersome and error-prone.
No, the multiple ports would be on the *server* side, and "the firewall" (which could be iptables on the server itself) would DNAT the ever-same *client* side ports based on the clients' IPs. Speaking of simplifying client configuration: Please note that STARTTLS and "must be plaintext" aren't mutually exclusive: $ openssl ciphers 'NULL:eNULL:!ECDH:!DH' NULL-SHA256:NULL-SHA:NULL-MD5 https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES If you can get dovecot to use a different "ssl_cipher_list" per client subnet, instead of changing "ssl", you could keep all clients that support those ciphers configured so as to *require* STARTTLS. Regards, Jochen Bern Systemingenieur -- LINworks GmbH Fon: +49 6151 9067-231 Fax: +49 6151 9067-299 E-Mail: jochen.b...@linworks.de Web: http://www.LINworks.de/ NEC IT Infrastrukturprodukte vom Deutschland Distributor Server, Storage, Virtualisierung, Management Software Shop: http://www.NEC-Store.de/ Briefanschrift: Postfach 10 01 21 · 64201 Darmstadt · DE Hausanschrift: Robert-Koch-Straße 9 · 64331 Weiterstadt · DE Geschäftsführer: Metin Dogan, Nils Manegold, Oliver Michel Unternehmenssitz: Weiterstadt Register: Amtsgericht Darmstadt, HRB 85202 MAX21-Unternehmensgruppe
smime.p7s
Description: S/MIME Cryptographic Signature
