I wanted users to have the choice between connecting via TLS or not.
By default, users would require TLS unless they choose otherwise.
There is an existing userbase where some users use SSL/TLS, and others
do not.
We use dovecot for authentication. The auth protocol as mentioned at
http://wiki2.dovecot.org/Design/AuthProtocol can accept a flag "secured"
indicating if the sasl user is connecting securely (TLS, or localhost).
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
In testing, we were seeing the following results:
smtpd_tls_security_level=may
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011resp=
smtpd_tls_security_level=encrypt
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011secured#011resp=
The secured flag is only set when the level is set to encrypt. I would
expect it to be set for any client that connects via TLS.
Software:
Postfix 2.6.6
dovecot 2.2.5
