keith wrote:
> I'm trying to get exim setup so that if someone connects on port 25 it is a
> standard connection (and does not offer TLS) but if they connect of a
> different port it does offer TLS to everyone - and in fact mandates that TLS
> is used on this port (so if the client does not STARTTLS the connection is
> refused)
>
> Further from that, I want to get different authentication methods depending
> on if the connection is encrypted or not. The SPA auth can be used over
> either connection, but plain can only be used if the session is encrypted
> with TLS
>
> Can someone point me in the right direction on this.
First of all, only advertise tls support on ports other than 25:
tls_advertise_hosts = ${if eq{$interface_port}{25}{}{*}}
For forcing encryption on ports other than 25, you can only really check
at the "MAIL FROM" stage. In your acl_smtp_mail acl:
deny condition = ${if eq{$interface_port}{25}{false}{true}}
condition = ${if eq{$tls_cipher}{}{true}{false}}
message = You must be using encryption to submit mail over this port
I think you can do something like "encrypted = *" rather than checking
tls_cipher there if you want.
For the different auth methods depending on encryption, you need to use
the server_advertise_condition option in your authenticators. Eg if you
only want to offer PLAIN auth on encrypted connections:
server_advertise_condition = ${if def:tls_cipher}
Mike
