[PATCH] Mail: send starttls flag value to auth script

Michael Kliewe info at phpgangsta.de
Tue Mar 3 16:28:13 UTC 2015

Hi Maxim,

On Mar 3, 2015, at 4:50 PM, Maxim Dounin wrote:

> Hello!
> On Tue, Mar 03, 2015 at 03:14:50PM +0100, Michael Kliewe wrote:
>> Hi again,
>> On Mar 2, 2015, at 3:56 PM, Maxim Dounin wrote:
>> I'm sorry, I don't really want to repeat my arguments, but as I 
>> said I don't have control over all nginx servers that are used. 
>> Some will be "older", some will be newer. And I cannot force 
>> "them" to introduce the auth_http_header to just send the nginx 
>> version or capability of sending Auth-SSL header or not...
> If you can't, than just switch off warnings till the update is 
> complete, as already suggested.

That might take months or years, some are out of my control as I said.
And we are already sending warnings currently because of the patch from Filipe, which works fine.
I cannot use your modified patch, I still have to patch Filipes version manually then.

>> Filipe's patch is working fine since > 6 month, it's either 
>> sending 0 or 1. The 0 is an important information and should not 
>> be dropped.
>> Can you tell me the disadvantage of sending "off" in case the 
>> connection is unencrypted? I don't really see the problem at the 
>> moment why you don't add the else branch, you are dropping 
>> information that is needed (and that was there in the original 
>> patch)... It's just 3 lines more code and doesn't hurt anybody, 
>> but provides important information to the auth script.
> As already explained, the problem is that the header will be added 
> forever for all setups, and it will be waste of resources in all 
> these setups.  It will be waste of resources in your setup as well 
> after the transition period.

But you are already adding the header in case it is an encrypted connection, which currently is >90% of all cases, at least here in Germany. If you call that "waste of ressources", you are already doing that for 90% of all IMAP/POP3 connections, I'm just asking to do that for the last 10% that are unencrypted (and will fade away during the next years, as more and more providers disallow unencrypted connections).
I'm just asking for the last 10% of connections, which are the important ones, if you need that feature.

Otherwise I still have to use the patch from Filipe everywhere, because it allows slow migration and distinction between "encrypted", "unencrypted" and "unknown" in the auth script.

If you want to be as efficient as possible, you should send just "AUTH_SSL: off" in case of an unencrypted connection, and no header at all for an encrypted connection. That would be a lot better, because >90% of all IMAP/POP3 connections are encrypted today.


More information about the nginx-devel mailing list