Hello!

On Tue, Mar 05, 2019 at 01:48:06PM -0600, lists--- via nginx-devel wrote:

> On 3/5/19 12:23 PM, Maxim Dounin wrote:
> > Not sure it is a good change.
>
> Thank you for your detailed reply and explanation.  I agree with you on
> all facets with respect to RFC compliance.  I believe the core issue at
> hand is the antiquated language in the current RFC conflicting with
> common practice -- several final destination MTAs on the public
> Internet, depending on their role/use, do require and enforce TLS
> communication only either on a per-sender, per-recipient, or per-server
> basis.

AFAIK, no public MTAs as of now require TLS for all SMTP connections.
And if you want to enforce TLS selectively, you can do so via the
auth_http script as previously suggested.

> That said your rationale for rejecting the patch is accurate and
> mirrors similar expressed in Postfix at
> www.postfix.org/postconf.5.html#smtpd_tls_security_level regarding 'encypt'.
>
> If you find the proposed patch satisfactory from a technical aspect I
> will commit the patch locally for a specific use case which would fall
> under the category of 'dedicated servers'.

From technical point of view I would recommend moving the check
into ngx_mail_smtp_mail() function. Or, as already suggested, you
may want to avoid the patch altogether and use auth_http
restrictions instead.

> For your consideration, perhaps a configuration option of:
>
> starttls dedicated;
>
> With the proposed patch would meet both a use case and RFC requirement aspect.

This sounds confusing. If we really want all connections to
be restricted to TLS only, I would rather change "starttls only"
as in your initial suggestion.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel