Proposed patch to enforce STARTTLS before MAIL FROM

Maxim Dounin mdounin at mdounin.ru
Thu Mar 7 17:38:01 UTC 2019


Hello!

On Tue, Mar 05, 2019 at 01:48:06PM -0600, lists--- via nginx-devel wrote:

> On 3/5/19 12:23 PM, Maxim Dounin wrote:
> > Not sure it is a good change.
> 
> Thank you for your detailed reply and explanation.  I agree with you on
> all facets with respect to RFC compliance.  I believe the core issue at
> hand is the antiquated language in the current RFC conflicting with
> common practice -- several final destination MTAs on the public
> Internet, depending on their role/use, do require and enforce TLS
> communication only either on a per-sender, per-recipient, or per-server
> basis.

AFAIK, no public MTAs as of now require TLS for all SMTP connections.  
And if you want to enforce TLS selectively, you can do so via the 
auth_http script as previously suggested.

> That said your rationale for rejecting the patch is accurate and
> mirrors similar expressed in Postfix at
> www.postfix.org/postconf.5.html#smtpd_tls_security_level regarding 'encypt'.
> 
> If you find the proposed patch satisfactory from a technical aspect I
> will commit the patch locally for a specific use case which would fall
> under the category of 'dedicated servers'.

>From technical point of view I would recommend moving the check 
into ngx_mail_smtp_mail() function.  Or, as already suggested, you 
may want to avoid the patch altogether and use auth_http 
restrictions instead.

> For your consideration, perhaps a configuration option of:
> 
> starttls dedicated;
> 
> With the proposed patch would meet both a use case and RFC requirement aspect.

This sounds confusing.  If we really want all connections to 
be restricted to TLS only, I would rather change "starttls only" 
as in your initial suggestion.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list