On Feb 15 Philip Hazel wrote:
>The only facility is -tls-on-connect, for legacy clients that use smtps.
>The recommendation is to use inetd to handle this "second version of
>Exim", which of course doesn't actually have to be a second version.
You only need one configuration file and two daemons. No inetd or friends.
Here is a recipe which listens on 25, 465 (ssmtp) and 587 on all local
IPv4 interfaces. It requires either ESMTP AUTH or a client TLS certificate
on port 587, but only advertises AUTH to an SSL/TLS session or localhost.
Maybe others will find this useful. (You need to create your server
certificate, and client certs must be signed by CA-file.pem.)
To start Exim (requires Exim >= 4.03):
exim -bd -q10m
exim -bd -oX '[0.0.0.0]::465' -tls-on-connect
..and in exim.conf (main section):
local_interfaces = <; [0.0.0.0]:25; [0.0.0.0]:587
auth_advertise_hosts = ${if eq{$tls_cipher}{}{localhost}{*}}
tls_advertise_hosts = *
tls_try_verify_hosts = ${if eq{$interface_port}{587}{*}{}}
tls_certificate = /etc/exim/server-cert.pem
tls_privatekey = /etc/exim/server-key.pem
tls_verify_certificates = /etc/exim/CA-file.pem
..and in your RCPT ACL (near the top):
accept authenticated = *
encrypted = *
accept encrypted = *
verify = certificate
accept condition = ${if eq{$interface_port}{587}{1}{0}}
endpass
message = SMTP AUTH or client SSL certificate required for port 587
authenticated = *
