Re: [Exim] Forcing tls authentication

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Christopher Curtis
CC: Exim Users Mailing List
Subject: Re: [Exim] Forcing tls authentication
On Thu, 1 Nov 2001, Christopher Curtis wrote:

> Perhaps my understanding here is deficient, but here is the thing: I want
> people running a MUA to be forced to do TLS. This works now because I
> refuse to relay unless they are authenticated, and they can only
> authenticate via TLS. This fails for local->local delivery (I can force
> neither), but is the best I can get at this point. Nobody will be sending
> mail directly from the machine or from its network, and will be sending
> from various random networks from around the world as they travel.


I'm afraid I'm still not entirely clear about your requirement. Let me
try to rephrase it:

You want people running an MUA from a random network to be able to
relay if they are authenticated, and they must authenticate over TLS.

So far, so good. You can do this by setting

  auth_over_tls_hosts = *           <= must use TLS before AUTH
  host_auth_accept_relay = *        <= may relay if authenticated


> The problem with forcing authentication is that this forces remote SMTP
> servers to authenticate,


The word "force" here is confusing. As I said in an earlier message, you
can't "force" the remote server to do anything. All you can do is to
reject mail if they don't do something. So this is where I'm confused.

If a remote SMTP server does not authenticate, presumably you do not
want to accept messages for relaying from it (otherwise you are an open
relay), so this is why I can't see the problem.

> which none do, so no local mail is ever
> delivered.


What exactly to you mean by "local mail"? Exim should always accept mail
for any domains in local_domains, whether or not the sending host is
authenticated.

> But what I can't do is make it force AUTH
> if in TLS, which would solve the local->local problem.


I'm not clear about what you mean by "local->local". Do you mean "host
on local LAN relaying to another host on local LAN"? Or something to do
with local mailboxes on the server in question? If the former, you can
set hosts_accept_relay to allow hosts on your LAN to relay without any
other conditions.


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.