We have the requirement to provide SSL on some IP addresses, but not others on
our servers.
Providing SSL is the easy part and we're able to use multiple SSL certificates
now. (thanks Timo!)
All is working ok, but we several IP hosts that do not require SSL and do not
have valid certificates.
While we can limit access via a firewall ACL to TLS connect ports (993/995) we
can't do so on port 110/143. The problem is that some clients now are smart
enough to look for an offered STARTTLS or STLS, and if it's offered, they try
to use it. While not normally a problem if your setup for SSL with valid
key/certs, if you have a self signed or no CERT at all, it starts connection
warnings and errors on the client side.
So is there any way possible to turn off advertising of TLS on port or turn it
off/on per IP?
Something like:
ssl = yes
ssl_cert = </etc/ssl/cert/default.pem
ssl_key = </etc/ssl/cert/default.pem
local 10.1.1.1 {
protocol imap {
ssl_cert = </etc/ssl/cert/site1.pem
ssl_key = </etc/ssl/cert/site1.pem
}
protocol pop3 {
ssl_cert = </etc/ssl/cert/site1.pem
ssl_key = </etc/ssl/cert/site1.pem
}
}
local 10.1.1.2 {
ssl = no
}
*or*
ssl = no
local 10.1.1.1 {
ssl = yes
protocol imap {
ssl_cert = </etc/ssl/cert/site1.pem
ssl_key = </etc/ssl/cert/site1.pem
}
protocol pop3 {
ssl_cert = </etc/ssl/cert/site1.pem
ssl_key = </etc/ssl/cert/site1.pem
}
}
--
Robert Blayzor
INOC, LLC
rblay...@inoc.net
http://www.inoc.net/~rblayzor/
