Auteur: James P. Roberts Date: À: Tony Finch CC: exim-users Sujet: Re: [Exim] TLS versus SMTPS
----- Original Message -----
From: "Tony Finch" <dot@???>
> "James P. Roberts" <punster@???> wrote:
> >
> >(1) upgrade from Exim 4.02 so I can use --tls-on-connect on port 465, instead > >of going through Stunnel. If I do this, will $tls_cipher be non-blank?
>
> Yes.
Good. That's my long-term solution, then.
>
> >I just realized that option (2) will not work, because the port number 465 is > >probably "lost" by the Stunnel process, just like the remote host IP is
> >"lost." It looks like a connection to port 25, from localhost. (Can one test > >the REMOTE port number? If so, would 465 be the actual remote port number for > >this configuration? That's probably a Stunnel question...)
>
> The remote port number will be some effectively random number, and in any
> case Exim will see the stunnel's port number -- it cannot see anything about
> the client's connection.
>
> Note that the stunnel setup can turn your email server into an open relay,
> if you don't have the proper access controls set up by xinetd or stunnel.
> (Exim's controls are useless because it knows nothing about the client.)
Not exactly. Instead, I require authentication to relay, even from localhost.
This prevents the Stunnel path from creating an open relay. (Thanks again to
the list for pointing this out to me a couple years ago when I originally set
it up).