Nigel Wade wrote:
> I'm in the process of deciding how to configure our mail server to
> provide client submission (port 587, and possibly 465). I'm looking for
> general tips, and do's and dont's for its configuration. The purpose is
> to allow authenticated client submission over SSL from the Internet. We
> are not able to allow port 25 submission, hence the requirement to setup
> port 587/465.
>
> I'm currently leaning towards the idea of a separate Exim process handle
> mail submission, and for this to relay the mail to the main Exim process
> for delivery. I'm hoping that will be easier to setup and maintain than
> a single configuration. Are there any gotchas to this approach that I
> should be aware of before venturing down this route? What's the
> perceived wisdom - is it better to do it this way, or to have a single
> instance of Exim which handles both normal SMTP traffic and client
> submission?
>
> The current version of Exim I use is 4.54, running on RHEL AS4.
>
There is no problem that I am aware of to doing it with one instance.
Aside from generating and storing and pointing to the appropriate certs,
what we use is:
===================
local_interfaces = <the IP you wish to restrict exim to, if not all present>
daemon_smtp_ports = 25 : 465 : 587 <optionally others>
tls_on_connect_ports = 465 : 587 <IF and ONLY IF using old-style SSL
instead of STARTTLS. MUA-dependent>
tls_certificate = /usr/local/etc/exim/certs/<your cert ID> <path may
differ for you>
tls_advertise_hosts = *
tls_remember_esmtp = yes <optional. See pros and cons in the Exim
spec.>
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
==================
Note that this does not *prevent* an MUA from connecting on port 25, nor
force it to use SSL/TLS if it does so. That is still up to MUA
configuration. But most residential/SOHO ISP's nowadays will have shut
that door already, so we don't see a need to prevent it. Checking for
'verify domain/recipient' and 'authenticated' and such in acl's prevent
open-relaying, and is needed anyway.
======
If you want to absolutely block MUA's from use of port 25, then you
would need a second IP, and some DNS work, else MUA's have to specify
the server by IP, not <domain>.<tld>. That works, but limits
failover/fallback/load-sharing methods.
Even so, ISTR (Tony? Philip?) that you can still work in a single Exim
instance by including the IP as well as the port numbers above, as in:
daemon_smtp_ports = <first IP>.25 : <second IP>.465 : <second IP>.587
and (if using SSL instead of STARTTLS):
tls_on_connect_ports = <second IP>.465 : <second IP>.587
- where Exim expects IP.port, not IP:port, i.e. 203.194.153.81.25, not
203.194.153.81:25
Hope that second part, IP.port, is correct.....
The first part certainly works - it is in production....
Best,
Bill
