JogeeDaKlown wrote:
> Hello,
> I'm trying to get my exim server to only accept tls connections. Here's my
> tls config.
>
> tls_advertise_hosts = *
> tls_certificate = /etc/ssl/exim/exim-server.crt
> tls_privatekey = /etc/ssl/exim/exim-server.key
> tls_verify_certificates = /etc/ssl/CA/cacert.pem
> tls_verify_hosts = *
>
> I understand that even I set up tls_verify_hosts, it will still allow
> non-TLS connection which my server is doing. Is there something to do with
> creating an ACL to force TLS? Is it possible? Thanks!!!!!!
In your "acl_smtp_mail" acl, as the first item, put:
deny !encrypted = *
message = TLS required
Note, the content of the EHLO and the "MAIL FROM" values would be sent
clear text over the wire before this error kicked in, but you can't do
it any earlier because of the way SMTP works.
You can't force TLS as it's not a requirement of SMTP, but you can
prevent messages being sent plain text. Most mail servers on the
Internet don't use TLS when sending so this wouldn't be appropriate
configuration for a general mail server if you want to receive email.
Mike
