On 2009-10-13 at 09:12 -0700, John Doe wrote:
> From: Phil Pennock <exim-users@???>
> > Since you're on 4.63, you can also use $auth2 instead of $2, for clarity
> > (just double-checked, the clearer names were introduced in 4.61).
>
> done, thx.
>
> >> I have another question: how can I allow only encrypted/authenticated
> >> connections?
> >
> > In the ACL logic for the MAIL or RCPT commands, you write rules which
> > state that if not on port 25, then you "require" an encrypted connection
> > and you require that $authenticated_id be set; that's part of what your
> > using server_set_id buys you.
> >
> > RCPT probably better, some clients allegedly get confused if the MAIL
> > command fails.
> >
> > The cleanest way of doing it is likely to be to have a sub-ACL for doing
> > the check, which returns accept for port 25, or for both authenticated
> > and encrypted, else returns reject, and then use "require acl = ..." in
> > the RCPT logic.
>
> Hum... I must say that I have very poor knowledge of exim syntax...
> Been using copy/paste so far. Something like the following?
>
> PORT25 = ${if ={25}{$interface_port}}
> PORT587 = ${if ={587}{$interface_port}}
>
> acl_check_rcpt:
> deny message = TLS required
> condition = PORT25 : PORT587
>
> Or would that block too much?
That would block all mail.
> I understand that the following will prevent other servers to connect...?
>
> acl_smtp_mail:
> deny !encrypted = *
> message = TLS required
> accept
Yes.
You want something like this (untested):
acl_signedin_or25_check:
accept condition = ${if ={25}{$interface_port}}
require authenticated = *
condition = ${if def:tls_cipher}
message = Must be authenticated over TLS
accept
and then inside acl_check_rcpt you would have:
require acl = acl_signedin_or25_check
Make sense?
-Phil