I would like to only allow auth after tls is started. It doesn't look
like the current smtpd-auth patch does that.
According to RFC 2487,
The client
MUST discard any knowledge obtained from the server, such as the list
of SMTP service extensions, which was not obtained from the TLS
negotiation itself.
so that, theoretically, you could just not list AUTH until after a
successful STARTTLS. It appears the easiest way to do this in qmail would
be to just duplicate the array of SMTP commands, with the initial one
lacking AUTH (this also appears the most foolproof way).
Does anyone know of widely used clients that don't conform to this part
of the RFC?
Lynn
