On Tue, May 04, 2010 at 04:08:23PM -0400, Ted Unangst wrote: > On Wed, May 5, 2010 at 11:06 AM, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: > > I understand that currently the rfcs state plain must be supported on > > publicly listed servers, but can anyone save me the trouble of delving > > into more rfcs and tell me if it's possible (atleast potentially) to > > use a mail proxy like nginx to negotiate starttls in front of spamd. > > > > > > I think that in other words I'm asking. > > > > Is the starttls supported keyword sent before spamd sends a 451 > > response just after the data command is received from the client > > > > Is the starttls supported keyword sent before or after spamd sends a 450 > > response to blacklisted hosts. > > STARTTLS should be the first command the client issues, long before > DATA, but you seem confused as to who is connecting to spamd. Your > clients should never be talking to spamd to submit mail. >
Just to nitpick. STARTTLS is an SMTP extension. The first client command would be "EHLO", then STARTTLS only if the server report that it is supported. I know both sendmail and postfix don't care and will accept STARTTLS as a first command but not Exchange. For a year or so, I had to carry an hacked version of openssl's "s_client -starttls smtp" command that sent "EHLO blabla" before STARTTLS, in order to test Exchange servers. (openssl's has been fixed since) As for the OP question, you are right. If you ask a mail client to require starttls, they need to be directed to a spamd free service. If they required starttls without your approval, they are in the wrong.