On 2020-06-21 17:54:56 -0700, Kevin J. McCarthy wrote: > I'm inclined to take the stance that the $tunnel is secure. For stable > branch, I'll include the PREAUTH patch in <20200621151915.gg23...@afu.lan>: > if (!idata->conn->ssf && !Tunnel && option(OPTSSLFORCETLS)) > but make no other changes. > > For master branch, I'll add a new option, something like $tunnel_is_secure, > defaulting "yes". That will turn off STARTTLS for tunneled imap, pop3, and > smtp connections (a possibly breaking change). It will also disable the > "IMAP PREAUTH" check. > > If changed to "no", then STARTTLS will occur for tunneled imap, pop3, and > smtp connections (subject to $ssl_starttls and $ssl_force_tls, as it does > right now) . For "IMAP PREAUTH", it will error out if $ssl_force_tls is > set. > > How does that sound?
I think that's OK. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
