SMTP proxy with "STARTTLS only" accepts unencrypted mail
Marcus
nginx at mattern.org
Mon Jun 3 20:16:20 UTC 2019
Hello Nginx users,
I try to use NGiNX 1.10.3-1+deb9u2 (Debian 9 version) as SMTP proxy in
front of a postfix server. I defined one server that should accept
encrypted connections only. Therefore I set "starttls only".
But this server accepts plaintext mails also. If I use telnet to test
the proxy it provides STARTTLS but I can relay a mail without using it.
Please see my config:
---
proxy_pass_error_message on;
ssl_certificate /etc/ssl/private/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;ssl_session_timeout
10m;
resolver 127.0.0.1 valid=30s;
smtp_capabilities "SIZE 51200000" ENHANCEDSTATUSCODES 8BITMIME DSN VRFY
ETRN PIPELINING;
server {
server_name test.myserver.com;
auth_http localhost:10080/10.1.0.1-25;
listen 10.1.0.1:25;
protocol smtp;
smtp_auth none;
starttls only;
}
---
What can I do to enforce STARTTLS? Or did I miss something?
Greetings
Marcus
More information about the nginx
mailing list