Viktor Dukhovni:
> On Wed, Apr 14, 2021 at 02:24:23PM -0400, Wietse Venema wrote:
> > TL;DR: the idea is to change the smtpd_forbidden_commands default
> > setting to something like:
> >
> > CONNECT GET POST pcre:{/^\x16/ Possible TLS handshake}
> >
> > Which would match current TLS protocols.
>
> I guess subject to "#ifdef HAVE_PCRE".
Sure. Note that this is configurable, so that a signature can be
added without having to upgrade or recompile Postfix, and that this
does not care whether a problem is the servers's fault or client's.
(aside from that, the ability to replace a lookup table pathname
with {the file content} has potential for other use cases).
> Another option to reduce user surprise is to log warnings when
> listening on port 465, but TLS wrapper mode is not enabled. Or,
> more radically, implicitly enable wrapper mode when configured to
> run on port 465.
Heuristics for the expected state of ports and protocols are
preferably configurable. If they were hard-coded in C, Postfix would
need to be recompiled when there is a need to change a rule.
Wietse
