From: Alexey V. Degtyarev <alexey@???>
> > From: Phil Pennock
> > You want something like this (untested):
> >
> > acl_signedin_or25_check:
> > accept condition = ${if ={25}{$interface_port}}
> > require authenticated = *
> > condition = ${if def:tls_cipher}
> > message = Must be authenticated over TLS
> > accept
> >
> > and then inside acl_check_rcpt you would have:
> > require acl = acl_signedin_or25_check
>
> I think even more simple would be to use server_advertise_condition option for
> desired authenticator. This example should work as requested: LOGIN
> authentication mech won't be advertised (and won't be allowed even if
> requested) without TLS established:
>
> LOGIN:
> driver = plaintext
> server_set_id = $auth1
> server_prompts = <| Username: | Password:
> server_condition = ${if saslauthd{{$auth1}{$auth2}}}
> server_advertise_condition = ${if def:tls_cipher}
I do already have the server_advertise_condition (from the default configuration).
And it seems to work as when I try to authenticate on port 25, exim ignores the login/pass I provided.
But I am still allowed to send emails (unauthenticated).
What I am trying to do (which should be the same as most email servers):
- I want the server to receive emails normaly.
- I want the server to only allow sending emails from authenticated users (with encryption).
So, for sending emails, I want to 'block' port 25 (already removed 587 from daemon_smtp_ports) and only 'allow' port 465.
Or maybe, the following would be enough?
acl_check_rcpt:
deny !authenticated = *
message = Must be authenticated over TLS
accept
I just want "if trying to send an email and not authenticated, deny".
Thx,
JD
