Hello! On Tue, Mar 05, 2019 at 01:48:06PM -0600, lists--- via nginx-devel wrote:
> On 3/5/19 12:23 PM, Maxim Dounin wrote: > > Not sure it is a good change. > > Thank you for your detailed reply and explanation. I agree with you on > all facets with respect to RFC compliance. I believe the core issue at > hand is the antiquated language in the current RFC conflicting with > common practice -- several final destination MTAs on the public > Internet, depending on their role/use, do require and enforce TLS > communication only either on a per-sender, per-recipient, or per-server > basis. AFAIK, no public MTAs as of now require TLS for all SMTP connections. And if you want to enforce TLS selectively, you can do so via the auth_http script as previously suggested. > That said your rationale for rejecting the patch is accurate and > mirrors similar expressed in Postfix at > www.postfix.org/postconf.5.html#smtpd_tls_security_level regarding 'encypt'. > > If you find the proposed patch satisfactory from a technical aspect I > will commit the patch locally for a specific use case which would fall > under the category of 'dedicated servers'. From technical point of view I would recommend moving the check into ngx_mail_smtp_mail() function. Or, as already suggested, you may want to avoid the patch altogether and use auth_http restrictions instead. > For your consideration, perhaps a configuration option of: > > starttls dedicated; > > With the proposed patch would meet both a use case and RFC requirement aspect. This sounds confusing. If we really want all connections to be restricted to TLS only, I would rather change "starttls only" as in your initial suggestion. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
