On Mon, Jun 22, 2020 at 09:07:38AM -0400, Aaron Schrab wrote:
At 17:54 -0700 21 Jun 2020, "Kevin J. McCarthy" <ke...@8t8.us> wrote:For master branch, I'll add a new option, something like $tunnel_is_secure, defaulting "yes". That will turn off STARTTLS for tunneled imap, pop3, and smtp connections (a possibly breaking change). It will also disable the "IMAP PREAUTH" check.That sounds roughly like the same thing that I'd been planning to look into, and caused me to hold off for a bit on sending my fix.
Thanks Aaron, and for the original idea in ticket 250 too!I've added the $tunnel_is_secure option, using your idea of setting conn->ssf in that case. The patch itself was pretty simple, but I wanted to look at SASL to make sure this wouldn't cause any problems.
As far as I can tell, the SASL property doesn't make a difference unless min_ssf is also set in the SASL properties (which is isn't). Also, funnily enough the GnuTLS code is stuff bytes into ssf, while OpenSSL is putting bits in. So, I don't see a problem with using the ssf as a boolean for the secure tunnel case.
The patch and documentation updates are done, but I want to test it out a bit tomorrow before pushing it up.
-- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
