> On Jun 28, 2016, at 2:11 AM, Rob Maidment <[email protected]> wrote:
>
> Filtering out the STARTTLS option can be achieved using
> smtpd_discard_ehlo_keyword_address_maps as described above.
> The smtpd_tls_security_level parameter must be set to "may" rather
> than "encrypt" if there are any profiles where TLS is not mandatory.
> The smtpd_tls_ask_ccert must be set to "yes" if there are any
> connection profiles that require certificate validation.
> The enforcement can be achieved using smtpd_helo_restrictions to call
> (after the EHLO command) a custom policy server that determines the
> matching connection profile as described above, and uses the
> encryption_protocol attribute to determine if TLS is in use and the
> ccert_subject attribute to see if a trusted client certificate was
> provided. (Note: smtpd will validate the certificate if provided even
> when smtpd_tls_security_level is "may".)
>
> Note: the smtpd_delay_reject option must be set to "no" to prevent the
> client sending authentication credentials on a plain text connection
> where TLS was defined as mandatory (otherwise the policy server is
> called after the RCPT command not after the EHLO command).
>
> Any reason why this won't work?
With STARTTLS, the client sends "EHLO" twice, once before STARTTLS and
again after. The first call will naturally never have negotiated TLS.
So your policy server can't enforce TLS before "MAIL". Enforcing TLS
at EHLO is not possible.
--
Viktor.
