> -----Original Message----- > From: dovecot [mailto:[email protected]] On Behalf Of Jochen > Bern > Sent: Friday, July 15, 2016 12:46 AM > To: [email protected] > Subject: Re: RE: controlling STARTTLS by IP address > > On 07/14/2016 11:52 PM, Michael Fox wrote: > >> Seems like your firewall could redirect to a different port that > doesn't > >> offer starttls. > > Yes, of course. But that would require multiple ports, making the > client > > configuration cumbersome and error-prone. > > No, the multiple ports would be on the *server* side, and "the firewall" > (which could be iptables on the server itself) would DNAT the ever-same > *client* side ports based on the clients' IPs. > > Speaking of simplifying client configuration: Please note that STARTTLS > and "must be plaintext" aren't mutually exclusive: > > $ openssl ciphers 'NULL:eNULL:!ECDH:!DH' > NULL-SHA256:NULL-SHA:NULL-MD5 > > https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES > > If you can get dovecot to use a different "ssl_cipher_list" per client > subnet, instead of changing "ssl", you could keep all clients that > support those ciphers configured so as to *require* STARTTLS. > > Regards, > > Jochen Bern > Systemingenieur
Hmmm. Interesting. I hadn't thought along those lines. Something to investigate. Michael
