> No, the connect hook has already fired by the time that the TLS connection is > established.
But if the switch to TLS has basically the same effect as opening a new connection, we should probably run the connect-hook again at that time. Or we could have an additional 'connect_tls' (or 'connect_restart'?) hook (which could also be used on port 465 for the deprecated ssmtp). > That happens later at STARTTLS (by hooking into unrecognized_command), > which is typically immediately after EHLO has completed. So maybe the unrecognized_command hook should have a possible return value of 'RESTART' which signals the core to restart the connection. I consider TLS beeing implemented by unrecognized_command unclean anyway. We should probably have a special TLS-Hook and TLS is only offered by the core if a plugin is installed into the TLS-Hook (like AUTH is implemented). This would also allow to have more than one TLS-Plugin, for example a generic plugin first, starting a encrypted connection, and a second plugin next, checking e.g. a client certificate. Would be more flexible imho. As a side note and preliminary information: I'm proud to tell you that there will be a printed article about qpsmtpd in one of the next issues of the german magazine 'iX' written by me :-) Regards Michael -- It's an insane world, but i'm proud to be a part of it. -- Bill Hicks