SMTP proxy with "STARTTLS only" accepts unencrypted mail

Marcus nginx at
Wed Jun 5 19:06:02 UTC 2019

Thank you very much. I didn't find it.

Am 04.06.19 um 15:49 schrieb Maxim Dounin:
> Hello!
> On Mon, Jun 03, 2019 at 10:16:20PM +0200, Marcus wrote:
>> I try to use NGiNX 1.10.3-1+deb9u2 (Debian 9 version) as SMTP proxy in
>> front of a postfix server. I defined one server that should accept
>> encrypted connections only. Therefore I set "starttls only".
>> But this server accepts plaintext mails also. If I use telnet to test
>> the proxy it provides STARTTLS but I can relay a mail without using it.
> Currently, "starttls" is only enforced for authentication, but not
> for non-authenticated mail delivery, as with "smtp_auth none" in
> your config.  If you want to reject all non-encrypted
> non-authenticated mail delivery, you can do so using an auth_http
> script.
> Recently discussed here:

More information about the nginx mailing list