I have built an event-driven TLS proxy for postscreen(8). This
addresses the problem that postscreen(8) could not be used when
SMTP clients require STARTTLS support.
The new daemon is called starttlsd(8). When a non-whitelisted (*)
SMTP client sends a STARTTLS command, postscreen(8) will hand off
the connection to starttlsd(8) and read/write the plaintext to/from
starttlsd(8).
The challenge was that one starttlsd(8) must be able to handle the
TLS <=> plaintext translation for more than one SMTP client, but
thanks to careful planning, it worked out of the box.
Next on the agenda is AUTH support, and that is a lot simpler.
Wietse
(*) A complete stranger, or a known client whose whitelisting
needs to be renewed.
