Re: [Exim] TLS versus SMTPS

----- Original Message -----
From: "Tony Finch" <dot@???>

> "James P. Roberts" <punster@???> wrote:
> >
> >(1) upgrade from Exim 4.02 so I can use --tls-on-connect on port 465,
instead
> >of going through Stunnel. If I do this, will $tls_cipher be non-blank?
>
> Yes.

Good. That's my long-term solution, then.

>
> >I just realized that option (2) will not work, because the port number 465
is
> >probably "lost" by the Stunnel process, just like the remote host IP is
> >"lost." It looks like a connection to port 25, from localhost. (Can one
test
> >the REMOTE port number? If so, would 465 be the actual remote port number
for
> >this configuration? That's probably a Stunnel question...)
>
> The remote port number will be some effectively random number, and in any
> case Exim will see the stunnel's port number -- it cannot see anything about
> the client's connection.
>
> Note that the stunnel setup can turn your email server into an open relay,
> if you don't have the proper access controls set up by xinetd or stunnel.
> (Exim's controls are useless because it knows nothing about the client.)

Not exactly. Instead, I require authentication to relay, even from localhost.
This prevents the Stunnel path from creating an open relay. (Thanks again to
the list for pointing this out to me a couple years ago when I originally set
it up).

Jim