Old clients: SSL issue and no_tls_hosts about haraka HOT 5 CLOSED

Authentication is not allowed unless the connection is secured. This is a design choice for security. Ways to handle this (from worse to better):

1. disable the secure connection check in the authentication plug-in. This is a very bad idea, but it would work.
2. upgrade your Java apps to use modern (and secure) TLS.
3. Enable relaying for just those Java 8 apps by their IP address with the relay plugin. Then they don't need to AUTH.

from haraka.

Authentication is not allowed unless the connection is secured. This is a design choice for security. Ways to handle this (from worse to better):

1. disable the secure connection check in the authentication plug-in. This is a very bad idea, but it would work.
2. upgrade your Java apps to use modern (and secure) TLS.
3. Enable relaying for just those Java 8 apps by their IP address with the relay plugin. Then they don't need to AUTH.

Hi,

I've done step 3 in the past and it's still active (but maybe something changed with v3?) and it doesn't work. Could it be that relay.ini has acl=true set? Otherwise I got the IP in relay_acl_allow set.

Thank you for the swift response :)

from haraka.

You definitely need acl=true to enable the ACL processing, and you need the relay plug-in enabled in config/plugins. You should be getting relay messages in your log entries that provide clues.

from haraka.

Yes, I've figured :)

It always fails at SSL with "...SSL routines:tls_early_post_process...".

I will install sendmail on those Java machines and relay them to Haraka. It's easier to do than to figure out what is going on and fiddle with those "damn" Java settings :)

from haraka.

Oh, you need to add the IPs of the clients to the no_tls_hosts (double check in tls docs) so Haraka doesn't offer them STARTTLS.

from haraka.