Re: [exim] deny non-encrypted client connections (smarthost)

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: exim-users
Subject: Re: [exim] deny non-encrypted client connections (smarthost)
* on the Thu, Aug 22, 2013 at 11:01:34PM +0200, Neustadt wrote:

> I would like to know if there is a way to deny non encrypted connections
> when exim connects as a client to a smtp-relay/smarthost.
>
> When acting as a smtp server I mananged to realize this through:
>
> acl_check_mail:
> deny !encrypted = *
> message = TLS required
>
> But, as I see it there are no access control lists (acl) for exim when
> running as a client. Correct, or is this they way to do it?


ACLs apply to incoming email.

What you want is to add "hosts_require_tls" to your SMTP transport as
detailed on this page:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html

E.g:

remote_smtp:
    driver = smtp
    hosts_require_tls = smarthost1.example.com : smarthost2.example.com


This wont do certificate verification though so is still susceptible to
a MITM attack. For that you want to use the tls_verify_certificates
option which is detailed on the same page.

Further information about TLS can be found at:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4