Author: Jakob Hirsch Date: To: user therion CC: Exim Users Subject: Re: [exim] Re: help on TLS for ext. connection
user therion wrote:
> in advance another question. Do I need to allow a
> specific SMTP-header in my firewall to use TLS on
> exim??
You need to allow STARTTLS for TLS to work (obviously), but further
traffic can not be inspected (as long as your firewall has no MITM
ability), so you can also disable it. Firewalls are a constant source of
grief (not only) for smtp, like the infamous Cisco "f*ckup protocol smtp",
which prevented ESMTP and therefore AUTH, STARTTLS etc. (I heard they
changed this a while ago, though).
> ESMTP keyword "AUTH", "STARTTLS", and so on.....or are
> these keywords just "infos" and are unimportant for
> the TLS-authentication?
It's not clear to me what you mean.
"AUTH" is seen twice on the wire:
1. The smtp client sends "EHLO $whatever" and Exim replies with it's
capabilities: AUTH, STARTTLS etc.
2. The clients knows now what he can use, so does his AUTH
If the clients uses STARTTLS, he has to send his EHLO again after the SSL
handshake and get a new list of capabilities (discarding the first one).
> - TLS with AND without user/pass !?
> --> thought the server_condition (see below) will only
> allow auth WHEN a user/pass is delivered!!??
I don't understand this either. How could a client do authentication
without any username/password? (Without a broken server config, that is)
Do you mean your local clients can relay without authentication? That's
because they are in relay_from_hosts.