Proposed patch to enforce STARTTLS before MAIL FROM
Maxim Dounin
mdounin at mdounin.ru
Thu Mar 7 17:38:01 UTC 2019
Hello!
On Tue, Mar 05, 2019 at 01:48:06PM -0600, lists--- via nginx-devel wrote:
> On 3/5/19 12:23 PM, Maxim Dounin wrote:
> > Not sure it is a good change.
>
> Thank you for your detailed reply and explanation. I agree with you on
> all facets with respect to RFC compliance. I believe the core issue at
> hand is the antiquated language in the current RFC conflicting with
> common practice -- several final destination MTAs on the public
> Internet, depending on their role/use, do require and enforce TLS
> communication only either on a per-sender, per-recipient, or per-server
> basis.
AFAIK, no public MTAs as of now require TLS for all SMTP connections.
And if you want to enforce TLS selectively, you can do so via the
auth_http script as previously suggested.
> That said your rationale for rejecting the patch is accurate and
> mirrors similar expressed in Postfix at
> www.postfix.org/postconf.5.html#smtpd_tls_security_level regarding 'encypt'.
>
> If you find the proposed patch satisfactory from a technical aspect I
> will commit the patch locally for a specific use case which would fall
> under the category of 'dedicated servers'.
>From technical point of view I would recommend moving the check
into ngx_mail_smtp_mail() function. Or, as already suggested, you
may want to avoid the patch altogether and use auth_http
restrictions instead.
> For your consideration, perhaps a configuration option of:
>
> starttls dedicated;
>
> With the proposed patch would meet both a use case and RFC requirement aspect.
This sounds confusing. If we really want all connections to
be restricted to TLS only, I would rather change "starttls only"
as in your initial suggestion.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list