SMTP Proxy - STARTTLS offer on per IP base
mdounin at mdounin.ru
Tue Aug 20 09:53:23 UTC 2019
On Mon, Aug 19, 2019 at 08:48:28AM -0400, ramber wrote:
> We've setup a nginx reverse smtp proxy to load balance incoming access to
> our mailservers.
> Everything is fine... until
> Some remote sites have broken tls setups and can't deliver mails anymore.
> Some didn't accept Let's Encrypt as CA for instance.
> Now I'm searching a way to not provide STARTTLS to them.
> The AUTH Methode is to late here because it will be started after "rcpto
> Is there way to call an "Auth Script" after Client-Helo and decide whether
> dto send STARTTLS Option or not?
> I know i can do some redirect with the firewall but i would like to add some
> logic to the desition to provide STARTTLS or not.
No, there is no way to conditionally provide STARTTLS or not.
STARTTLS is always provided as long as it is enabled in the
relevant server block.
More information about the nginx