Author: James P. Roberts Date: To: Matt Bernstein CC: exim-users Subject: Re: [Exim] TLS versus SMTPS
----- Original Message -----
From: "Matt Bernstein" <mb@???>
> On Dec 8 James P. Roberts wrote:
>
> >(1) upgrade from Exim 4.02 so I can use --tls-on-connect on port 465, instead > >of going through Stunnel. If I do this, will $tls_cipher be non-blank? Or is > >there another way to validate that the connection is encrypted, when using
> >smtps?
>
> Yes, yes and NULL. Off the top of my head:
>
> auth_advertise_hosts = ${if eq{$tls_cipher}{}{localhost}{*}}
> tls_advertise_hosts = * <snip> > AUTH ACL: <snip> > accept hosts = localhost
Cool. GMTA ;)
In fact, last night, I implemented that (although I used "127.0.0.1" instead
of "localhost". (I gather that "localhost" is preferred? I will try that).
Anyway, it worked! A connection to port 465 is decrypted by Stunnel and
redirected to port 25. Exim sees it as unencrypted; thus, Exim sets
"auth_advertise_hosts = localhost". The Stunnel connection appears (to Exim)
to be from localhost, so Exim advertises AUTH. The Win XP/OE client sees
this, and attempts login, as it should. In the auth ACL, we again make an
exception for localhost sender, which is what Stunnel appears to be.
I think this will also work if I send messages manually from localhost.