At 00:48 -0700 Mark Edwards wrote:
>1) Is it possible to require clients to make secure SMTP connections? I
>see that you can make Exim request a certificate with tls_verify_hosts and
>fail if the client doesn't provide one, but is it possible to simply make
>Exim only authenticate SMTP connections using SSL? My guess is no, because
>that would interfere with normal delivery of mail, but am I right?
Use the ACLs. Here are some tips (a.b.c.d is the IP address of external
interface you want to listen on):
main config:
local_interfaces = <; [a.b.c.d]:25; [a.b.c.d]:587; \
[127.0.0.1]:25; [127.0.0.1]:587
auth_advertise_hosts = ${if eq{$tls_cipher}{}{localhost}{*}}
tls_try_verify_hosts = ${if eq{$interface_port}{587}{}{*}}
(this last line is for MUAs like Netscape 4 which grumble at the user if a
client cert is asked for, but one isn't available. Just point them at
a.b.c.d:587.)
near the top of your RCPT ACL:
accept authenticated = *
encrypted = *
accept encrypted = *
verify = certificate
accept condition = ${if eq{$interface_port}{587}{1}{0}}
endpass
message = AUTH required for port 587
authenticated = *
your AUTH ACL:
accept encrypted = *
accept condition = ${if eq{${uc:$smtp_command_argument}}{CRAM-MD5}{yes}{no}}
accept hosts = localhost
deny message = STARTTLS required before AUTH
>2) I have Exim set up to advertise TSL/SSL to all hosts, using a
>self-signed certificate. It works with most hosts, but Outlook Express Mac
>fails if I have "use SSL" checked. Is this just because of the
>self-signing, or is there some trick to making Outlook Express work with
>Exim using SSL?
There are two ways to do SSL. Lookout Express tends to use the "ssmtp"
variant on port 465 where the whole conversation is encrypted. Use
"stunnel -d 465 -r 587" to slot into the above config, but it'll look like
all your mail has come from localhost.
Alternatively use the -tls-on-connect option. Unfortunately this is only a
command-line option, and you can't do something snazzy like:
tls_on_connect = ${if eq{$interface_port}{465}{1}{0}}
HTH,
Matt
