On my POP3 server, I need to be able to control the use of STARTTLS by client IP address. Specifically: * Clients on certain internal subnets (e.g., 192.168.1.0/24) must not have the option to use TLS. If the client tries to use STARTTLS, the option should be rejected. This is to satisfy US FCC rules regarding the use of encryption over certain radio frequencies. * All other internal clients (e.g., 192.168.0.0/16, but not 192.168.1.0/24) should be able to use STARTTLS if they choose to. * All external clients (0.0.0.0/0) will be required to use TLS. Is there a way to control which clients are allowed to use STARTTLS according to the client's IP address? Thanks, Michael
Sent from my iPhone> On Jul 14, 2016, at 3:56 PM, Michael Fox <news at mefox.org> wrote: > > On my POP3 server, I need to be able to control the use of STARTTLS by > client IP address. Specifically: > > * Clients on certain internal subnets (e.g., 192.168.1.0/24) must not have > the option to use TLS. If the client tries to use STARTTLS, the option > should be rejected. This is to satisfy US FCC rules regarding the use of > encryption over certain radio frequencies. > * All other internal clients (e.g., 192.168.0.0/16, but not 192.168.1.0/24) > should be able to use STARTTLS if they choose to. > * All external clients (0.0.0.0/0) will be required to use TLS. > > Is there a way to control which clients are allowed to use STARTTLS > according to the client's IP address? > > Thanks, > Michael > > >Seems like your firewall could redirect to a different port that doesn't offer starttls.>
Are you 100% sure your interpretation of the FCC rules is correct? Do you really want passwords going out over RF unencrypted?? As far as I know, only ham bands are not allowed to use encryption. Even baby monitors these days are DECT. (Mind you, not good encryption.) ? Original Message ? From: Michael Fox Sent: Thursday, July 14, 2016 1:57 PM To: Dovecot Mailing List Subject: controlling STARTTLS by IP address On my POP3 server, I need to be able to control the use of STARTTLS by client IP address. Specifically: * Clients on certain internal subnets (e.g., 192.168.1.0/24) must not have the option to use TLS. If the client tries to use STARTTLS, the option should be rejected. This is to satisfy US FCC rules regarding the use of encryption over certain radio frequencies. * All other internal clients (e.g., 192.168.0.0/16, but not 192.168.1.0/24) should be able to use STARTTLS if they choose to. * All external clients (0.0.0.0/0) will be required to use TLS. Is there a way to control which clients are allowed to use STARTTLS according to the client's IP address? Thanks, Michael
On 15.07.2016 00:13, Edgar Pettijohn wrote:> > Sent from my iPhone > >> On Jul 14, 2016, at 3:56 PM, Michael Fox <news at mefox.org> wrote: >> >> On my POP3 server, I need to be able to control the use of STARTTLS by >> client IP address. Specifically: >> >> * Clients on certain internal subnets (e.g., 192.168.1.0/24) must not have >> the option to use TLS. If the client tries to use STARTTLS, the option >> should be rejected. This is to satisfy US FCC rules regarding the use of >> encryption over certain radio frequencies. >> * All other internal clients (e.g., 192.168.0.0/16, but not 192.168.1.0/24) >> should be able to use STARTTLS if they choose to. >> * All external clients (0.0.0.0/0) will be required to use TLS. >> >> Is there a way to control which clients are allowed to use STARTTLS >> according to the client's IP address? >> >> Thanks, >> Michael >> >> >> > Seems like your firewall could redirect to a different port that doesn't offer starttls.You could try remote x.x.x.x/y { ssl = no } Aki
> Seems like your firewall could redirect to a different port that doesn't > offer starttls.Yes, of course. But that would require multiple ports, making the client configuration cumbersome and error-prone. Michael
> Are you 100% sure your interpretation of the FCC rules is correct?Yes> Do you really want passwords going out over RF unencrypted?No. I don't plan to use plaintext auth methods.> As far as I know, only ham bands are not allowed to use encryption. Even > baby monitors these days are DECT. (Mind you, not good encryption.)Correct. It is ham radio. Michael