Are options secure, allowInsecureAuth, authMethods, disabledCommands ['STARTTLS'] complementary ?

[ceraz68]

I have two test clients connecting with [‘PLAIN’, ‘LOGIN’] authentication using basic passwords (testusr/testpassword) without using certificates. One client connects successfully when options.secure=true (the client cannot disable SSL/TLS authentication). The other client can connect when options.secure=false (the client can only enable/disable SSL nothing about TLS support).

Maybe you can help me if I've understood the smtp-server options correctly so that both can connect.

• The wiki states that the default is secure.options = false and it is assumed that the STARTTLS command is enabled (as it can be disabled).

Question 1: So by default the server accepts incoming connections over TLS only. Correct?

• For options.authMethods, the wiki states that "Authentication is only allowed in secure mode (either the server is started with secure:true option or STARTTLS command is used)"

Question 2: Setting options.secure= true and options.disabledCommands ['STARTTLS'] would appear to be contradictory. The wiki doesn't explain if there is any difference between options.secure and STARTTLS or whether one setting is priority of over the other. Can someone explain if there are any differences?

• For options.allowInsecureAuth, the wiki states "allows authentication even if connection is not secured first"

Question 3: Does allowinsecureAuth work in relation to options.secure, the STARTTLS command or both?

Thanks for your help

[ceraz68]

I post my conclusions in case someone needs some input. Thanks for this great product.

The client support wasn't documented which made be question the options. By trial and error I discovered that one client only supports secured connections and no STARTTLS while the other client only supports insecure connections or secured via STARTTLS. In the end I was forced to run two SMTP servers on different port numbers like 2525 etc

My conclusion is that if secure is true, the server will refuse clients that only support STARTTLS.

=== My tests ====

If secure is true:

• In the console, the server logs “Secure SMTP Server” at startup. All client connections requests must be secured with TLS.
• During the connection the server does not advise support for STARTTLS (as this implies an initial insecure connection).
• Client authentication proceeds over TLS but can be made optional by setting options.authOptional to true
• Client authentication can be disabled, ie disabledCommands: ['AUTH']

If secure is false

• In the console, the server logs “SMTP Server” at startup.
• Insecure client connections will be upgraded to TLS as by default the server advertises support for STARTTLS.
• Clients that support secure connections-only and not STARTTLS, cannot connect (they need secure to be true).
• The server can accept insecure connections (no upgrading to TLS) if authorised by options.allowInsecureAuth or disabled with disabledCommands: ['STARTTLS'].
• Client authentication proceeds but can be made optional by setting options.authOptional to true
• Client authentication can be disabled, ie disabledCommands: ['AUTH']