SMTP proxy with "STARTTLS only" accepts unencrypted mail

Marcus nginx at mattern.org
Wed Jun 5 19:06:02 UTC 2019


Thank you very much. I didn't find it.

Am 04.06.19 um 15:49 schrieb Maxim Dounin:
> Hello!
>
> On Mon, Jun 03, 2019 at 10:16:20PM +0200, Marcus wrote:
>
>> I try to use NGiNX 1.10.3-1+deb9u2 (Debian 9 version) as SMTP proxy in
>> front of a postfix server. I defined one server that should accept
>> encrypted connections only. Therefore I set "starttls only".
>>
>> But this server accepts plaintext mails also. If I use telnet to test
>> the proxy it provides STARTTLS but I can relay a mail without using it.
> Currently, "starttls" is only enforced for authentication, but not
> for non-authenticated mail delivery, as with "smtp_auth none" in
> your config.  If you want to reject all non-encrypted
> non-authenticated mail delivery, you can do so using an auth_http
> script.
>
> Recently discussed here:
>
> http://mailman.nginx.org/pipermail/nginx-devel/2019-March/011970.html
>


More information about the nginx mailing list