Closed rimas-kudelis closed 7 years ago
We could change the condition (with ip range):
server_advertise_condition = ${if or{\
{!eq{$tls_cipher}{}}\
{match_ip {$sender_host_address}{@[]}}\
{match_ip {$sender_host_address}{192.168.1.1/24}}\
}\
{*}{}}
or port (which needs to be opened):
server_advertise_condition = ${if or{\
{!eq{$tls_cipher}{}}\
{match_ip {$sender_host_address}{@[]}}\
{eq{$received_port}{8825}}\
}\
{*}{}}
Or we combine both? Only on a specific port from a specific ip range?
We can also remove this from the default configuration and move this feature to the documentation only.
Or we just remove it, we can put my examples in the wiki. If people really need it, they can put it there and we don't clutter our config files (hoping that it is not needed).
In #210 we had a conversation about whether or not to keep support for the
AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
macro, which, if enabled, allows authentication over unsecured connections. The arguments in favor of this feature are that there might be scanners/copiers or other hardware which would need to send emails, but doesn't support modern TLS ciphers. This is a good point, but I'm still reluctant to leave this feature as it is. Perhaps we could use a hostlist instead of a boolean variable, to make this insecurity possible, but only for selected hosts?