SMTP Proxy - STARTTLS offer on per IP base

Maxim Dounin mdounin at
Tue Aug 20 09:53:23 UTC 2019


On Mon, Aug 19, 2019 at 08:48:28AM -0400, ramber wrote:

> We've setup a nginx reverse smtp proxy to load balance incoming access to
> our mailservers.
> Everything is fine... until 
> Some remote sites have broken tls setups and can't deliver mails anymore.
> Some didn't accept Let's Encrypt as CA for instance.
> Now I'm searching a way to not provide STARTTLS to them. 
> The AUTH Methode is to late here because it will be started after "rcpto
> to:".
> Is there way to call an "Auth Script" after Client-Helo and decide whether
> dto send STARTTLS Option or not?
> I know i can do some redirect with the firewall but i would like to add some
> logic to the desition to provide STARTTLS or not.

No, there is no way to conditionally provide STARTTLS or not.  
STARTTLS is always provided as long as it is enabled in the 
relevant server block.

Maxim Dounin

More information about the nginx mailing list