Re: [exim] SSL questions

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: exim-users
Subject: Re: [exim] SSL questions
keith wrote:

> I'm trying to get exim setup so that if someone connects on port 25 it is a
> standard connection (and does not offer TLS) but if they connect of a
> different port it does offer TLS to everyone - and in fact mandates that TLS
> is used on this port (so if the client does not STARTTLS the connection is
> refused)
>
> Further from that, I want to get different authentication methods depending
> on if the connection is encrypted or not. The SPA auth can be used over
> either connection, but plain can only be used if the session is encrypted
> with TLS
>
> Can someone point me in the right direction on this.


First of all, only advertise tls support on ports other than 25:

tls_advertise_hosts = ${if eq{$interface_port}{25}{}{*}}

For forcing encryption on ports other than 25, you can only really check
at the "MAIL FROM" stage. In your acl_smtp_mail acl:

deny condition = ${if eq{$interface_port}{25}{false}{true}}
      condition = ${if eq{$tls_cipher}{}{true}{false}}
      message   = You must be using encryption to submit mail over this port


I think you can do something like "encrypted = *" rather than checking
tls_cipher there if you want.

For the different auth methods depending on encryption, you need to use
the server_advertise_condition option in your authenticators. Eg if you
only want to offer PLAIN auth on encrypted connections:

server_advertise_condition = ${if def:tls_cipher}

Mike