Re: [exim] Authentication on port 587 and 25

Startseite
Nachricht löschen
Nachricht beantworten
Autor: W B Hacker
Datum:  
To: exim users
Betreff: Re: [exim] Authentication on port 587 and 25
Rick Boucher wrote:
> I have authentication working on port 465.
>
> How can I get it working on port 587 and 25?
>
> Thanks
> -------------------------------------------------
>
>
> Rick Boucher
> Webmaster / Systems Admin
> Orcas Online / San Juan Web
> (360) 376-6411
> http://www.orcasonline.com
> http://www.sanjuanweb.com
> The information source for the San Juan Islands
>
>
>
> Plans for the next day - "Work, work from early to late. In fact
> I have so much to do that I shall spend the first three hours in prayer."
> - Martin Luther
>
>
>

Short answer: simply add 587 to 'daemon_smtp_ports ='

25 should already be there.

Exim will offer SSL on 465 based on 'tls_on_connect = 465'
- also already there as you are runnng it.

Exim will offer TLS automagically on 587 unless otherwise directed.

Longer answer: Port 25. It should be able to handle SSL/TLS, yes. But neither
require it nor be overly picky as to certs and CA's of sbmitters.

Butt does little good, and perhaps some harm, to suport auth on port 25.

- submitting peer MTA do not need it, save perhaps for your own relays, which
can either connect via 587 or be set to use port 24.

- More and more wise ISP every year are intercepting traffic from their back-end
pools TO port 25, and either diverting it to (only) their own MTA ELSE blcoking
it outright if NOT aimed at their own MTA. Very helpful of them w/r stopping
zombified Winboxen eating resources and blackening their reputation.

But even if you ARE such a connectiivty provider, port 587 is the better choice
for user-community submission.

FWIW, a tcpdump can reveal that there exist critters that will park on a
TLS-enabled port 587 and try to brute-force their way in. Waste of bandwidth,
logging, and other resources even as they fail.

SSL enabled smtp ports seem to see fewer such attempts, so certain curmudgeons
(or at least one of us) run their 587 SSL instead of TLS and adjust Luser MUA
settings accordingly.

Do your own due diligence.

;-)

Bill