<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>You could use something like 'stunnel' to protect arbitrary connections between hosts. Lmtp is normally for connections between services on the same host, so I'm not surprised that Cyrus isn't using tls for it.</div><div id="AppleMailSignature"><br>Marty Lee<div>Maui Systems Ltd</div><div><br></div></div><div><br>On 14 Jun 2016, at 10:16, qyb via Cyrus-devel <<a href="mailto:cyrus-devel@lists.andrew.cmu.edu">cyrus-devel@lists.andrew.cmu.edu</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">I use "lmtpd -a" listen on a NIC interface and receive lmtp request from a remote postfix instance. Now preauth works, but mail data was transfered without encryption.<div><br></div><div>I guess the commit your mentioned disabled startssl because the author think we just need ssl to protect PLAIN Password auth request.. Personally, I think all mail data should be encrypted in internet transfer.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 14, 2016 at 9:25 AM, ellie timoney via Cyrus-devel <span dir="ltr"><<a href="mailto:cyrus-devel@lists.andrew.cmu.edu" target="_blank">cyrus-devel@lists.andrew.cmu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div><span class=""><div>On Wed, Jun 1, 2016, at 03:28 AM, qyb via Cyrus-devel wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div>I noticed that cyrus disable TLS on preauth'd connection.<br></div>
<div><div> </div>
<div>Authentication info(plain password...) need TLS protection. And I think that RFC822 text also need TLS.<br></div>
</div>
</div>
</blockquote><div> </div>
</span><div>Can you expand on this a bit?<br></div>
<div> </div>
<div>As far as I understand, connections are only ever preauth'd when they come in via UNIX-domain sockets, which are inherently local. What are you trying to protect, and from whom?<br></div>
<div> </div>
<div>For what it's worth, it looks like STARTTLS used to work (at least to some degree) for preauth'd LMTP, but was explicitly disabled in 2001 by this commit:<br></div>
<div><a href="https://cgit.cyrus.foundation/cyrus-imapd/commit/?id=b93e6be5b19362f9e295b40ceb81b702d73de6bb" target="_blank">https://cgit.cyrus.foundation/cyrus-imapd/commit/?id=b93e6be5b19362f9e295b40ceb81b702d73de6bb</a><br></div>
<div>So I guess you might be able to re-enable it by doing the inverse of that, though I'm not really seeing the point?<br></div>
</div>
</blockquote></div><br></div>
</div></blockquote></body></html>