On Fri, Jan 31, 2014 at 02:07:51AM +0100, Johannes Bauer wrote:
> On 31.01.2014 01:41, Viktor Dukhovni wrote:
> > On Fri, Jan 31, 2014 at 12:54:01AM +0100, Johannes Bauer wrote:
> >
> >> What I would like to do and cannot figure out: How can I *force*
> >> authenticated clients to perform a STARTTLS before performing a "AUTH
> >> PLAIN"?
> >
> > If plaintext mechanisms are all you have:
> >
> > smtpd_tls_auth_only = yes
> >
> > This disables auth completely without TLS. It looks like you have
> > no other mechanisms available.
>
> You're a genius! Thank you so much, this is exactly what I wanted.
>
> If we ever meet in person, be sure to claim your well-deserved beer :-)
Instead of buying me a beer, you can pay me back in kind and take
5-10 minutes to read Section 1.2 (and its subsections 1.2.1, 1.2.2,
1.2.3 and 1.2.4) of:
http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2
then email me feedback about what could/should be more clear or
how the structure of the introduction could be improved.
Yes, I know that an RFC is not a tutorial, and is aimed at primarily
at would-be implementors, not users. That said, I want the
introduction to be more widely accessible,
If you feel that the document as a whole is not too taxing,
constructive suggestions always appreciated for the other sections
too.
Then, start planning to deploy DNSSEC for your domains. With care,
since one must not neglect to automate periodic re-signing of zone
files either daily or weekly, but in any case often enough to avoid
RRSIG expiration.
--
Viktor.
