Thanks for this very useful, may contact you about how you did the
different acles for different ports.
Ron
On Thu, 2004-07-01 at 14:25, Dennis Davis wrote:
> >From: Ron McKeating <R.J.Mckeating@???>
> >To: "Exim-Users (E-mail)" <exim-users@???>
> >Subject: [Exim] SMTP
> >Date: Wed, 30 Jun 2004 12:40:32 +0100
> >
> >I am trying very hard to make the case to our management that
> >we should do authenticated smtp through our servers from off
> >campus. The response I am getting is "What do others do?".
>
> We offer this on our outward facing mail servers. Brief details are
> at:
>
> http://www.bath.ac.uk/bucs/email/offcampus.shtml
>
> but these details do need expanding. For example, there's no
> details of client configuration. We do need to document this better
> as I would like to push this service a bit harder than we do now.
>
> >In general is that the accepted way of doing things. Is that the
> >'only' proper way to allow your users to route through your servers
> >from off site.
>
> Alternatives include webmail and offering a VPN service. We offer
> both. Our webmail service is on:
>
> https://webmail.bath.ac.uk/
>
> and details of VPN are at:
>
> http://www.bath.ac.uk/bucs/ad/vpn/
>
> Users can also ssh into one of our unix servers and then use pine.
>
> >We obviously do not wish to be an open relay, and I have already
> >issued dire warnings of blacklisting if we do it any other way.
>
> Quite. It's bad enough when the useless oiks at SpamCop can't
> analyse trace information and falsely accuse you of being the source
> of spam. I've seen outside mail servers blacklisted withing a few
> short hours of being brought into service. Just because they're an
> open relay.
>
> >We have bought wildcard (multiple domains on one certificate) ssl
> >certificates from geotrust so it will all be encrypted.
>
> We got ours (Common Name: smtphost.bath.ac.uk) from Thawte. The
> exim daemon on smtphost.bath.ac.uk listens on both port 25 (SMTP)
> and 587 (MSA). I use a different acl_smtp_rcpt for each port. The
> acl_smtp_rcpt for port 587 is somewhat simpler (eg no RBLs). I
> insist on high or medium grade TLS ciphers. Authentication is
> against our kerberos server using the Cyrus saslauthd.
>
> Judging from comments in this thread it looks like I might have to
> set up an exim daemon listening on port 465 (SMTPS). I'd hoped to
> avoid this.
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
--
Ron McKeating
Senior IT Services Specialist
Internet Services and Software Solutions
Loughborough University
01509 222329
