dovecot - Jul 2016 - controlling STARTTLS by IP address

On 15.07.2016 00:13, Edgar Pettijohn wrote:
>
> Sent from my iPhone
>
>> On Jul 14, 2016, at 3:56 PM, Michael Fox <news at mefox.org>
wrote:
>>
>> On my POP3 server, I need to be able to control the use of STARTTLS by
>> client IP address.  Specifically:
>>
>> * Clients on certain internal subnets (e.g., 192.168.1.0/24) must not
have
>> the option to use TLS.  If the client tries to use STARTTLS, the option
>> should be rejected.  This is to satisfy US FCC rules regarding the use
of
>> encryption over certain radio frequencies.
>> * All other internal clients (e.g., 192.168.0.0/16, but not
192.168.1.0/24)
>> should be able to use STARTTLS if they choose to.
>> * All external clients (0.0.0.0/0) will be required to use TLS.
>>
>> Is there a way to control which clients are allowed to use STARTTLS
>> according to the client's IP address?
>>
>> Thanks,
>> Michael
>>
>>
>>
> Seems like your firewall could redirect to a different port that
doesn't offer starttls.

You could try

remote x.x.x.x/y {
   ssl = no
}

Aki

> 
> You could try
> 
> remote x.x.x.x/y {
>    ssl = no
> }
> 
> Aki
Wow.  OK.  But I can find no documentation on how to use that.

Would it be used inside service pop3-login, or at the top level?

And, does it apply the first match found?  For example:

  # Disable SSL for radio clients
  remote 192.168.1.0/24 {
      ssl = no
  }
  # Allow SSL for internal clients
  remote 192.168.0.0/16 {
      ssl = yes
  }
  # Require SSL for all others
  remote 0.0.0.0/0 {
      ssl = required
  }

Thanks,
Michael

On 15.07.2016 00:52, Michael Fox wrote:
>> You could try
>>
>> remote x.x.x.x/y {
>>     ssl = no
>> }
>>
>> Aki
> Wow.  OK.  But I can find no documentation on how to use that.
>
> Would it be used inside service pop3-login, or at the top level?
>
> And, does it apply the first match found?  For example:
>
>    # Disable SSL for radio clients
>    remote 192.168.1.0/24 {
>        ssl = no
>    }
>    # Allow SSL for internal clients
>    remote 192.168.0.0/16 {
>        ssl = yes
>    }
>    # Require SSL for all others
>    remote 0.0.0.0/0 {
>        ssl = required
>    }
>
> Thanks,
> Michael
You can leave the last bit off. Not sure about the ordering, but you'll 
find out by testing? =)

Aki

> You could try
> 
> remote x.x.x.x/y {
>    ssl = no
> }
> 
> Aki
That works!  Thanks SO much!

Michael