> No, the connect hook has already fired by the time that the TLS connection is
> established.
But if the switch to TLS has basically the same effect as opening a new
connection, we should probably run the connect-hook again at that time.
Or we could have an additional 'connect_tls' (or 'connect_restart'?)
hook (which could also be used on port 465 for the deprecated ssmtp).
> That happens later at STARTTLS (by hooking into unrecognized_command),
> which is typically immediately after EHLO has completed.
So maybe the unrecognized_command hook should have a possible return
value of 'RESTART' which signals the core to restart the connection.
I consider TLS beeing implemented by unrecognized_command unclean anyway. We
should probably have a special TLS-Hook and TLS is only offered by the core
if a plugin is installed into the TLS-Hook (like AUTH is implemented). This
would also allow to have more than one TLS-Plugin, for example a generic
plugin first, starting a encrypted connection, and a second plugin next,
checking e.g. a client certificate. Would be more flexible imho.
As a side note and preliminary information: I'm proud to tell you that there
will be a printed article about qpsmtpd in one of the next issues of the
german magazine 'iX' written by me :-)
Regards
Michael
--
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks
