Re: [exim] EXIM4 - Secure SMTP - Ubuntu 12.04 and CentOS 6.x…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Jasen Betts
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] EXIM4 - Secure SMTP - Ubuntu 12.04 and CentOS 6.x AMD64
On 2013-08-08, DLSauers <dlsauers-KCdx8pmSnIVBDgjK7y7TUQ@???> wrote:
> Looking to secure things up... and I want to ensure that all inbound
> email is secured.
>
> So is it possible to setup EXIM4 on Ubuntu 12.04 and CentOS 6.x to use
> SECURE SMTP *ONLY*!
>
> Thus all connections to the SMTP server would be encrypted... YES this
> probably means a 90%+ ELIMINATION in servers that can email the domains
> setup on such a server, oh well, so sad. You don't need to email me then!
>
> I want security, SECURITY ! SECURITY! Encrypted "meta data" connection
> thus snooping is slowed down unless certain alphabets want to brute force
> it and put those Crays in UT to work! POP3 ad IMAP with SSL/TLS is
> already implemented... Secure drives is being implemented, and physical
> control changes are being made too. Yes the servers are moving off US
> soil, and weak jurisdictions.
>
> If there is a way that a non secure connection can be told to "Sorry
> stupid server, you need to try it securely!" and/or send back a
> message... Sorry! This server requires a SSL/TLS connection to send
> email! Please configure your server thusly, and try again! Or don't
> bother!"


acl_mail:

  require
    message=Sorry! This server requires a SSL/TLS connection to send \
      email! Please configure your server thusly, and try again! Or don't \
      bother! 
    encrypted = *


perhaps also these?

  require
    message=you need a real TLS cert
    verify = certificate
    message=you need a stronger TLS cert
    condition = ${if >= {$tls_bits}{2048}}

    
> Simply quit listening on Port 25? ? And only on 465 ????


465 is deprecated (if the RFCs are to be believed)

> Lots of HOWTO: on enabling SSL/TLS, but it appears from these that NON
> SSL/TLS is still possible and that the initial connection may be
> UNSECURE! ! ! BZZT!!!!


What's the problem with using plaintext before STARTTLS? nothing is
exposed that can't be found using a reverse lookup, probing, or whois
lookup.

--
⚂⚃ 100% natural