* on the Thu, Aug 22, 2013 at 11:01:34PM +0200, Neustadt wrote:
> I would like to know if there is a way to deny non encrypted connections
> when exim connects as a client to a smtp-relay/smarthost.
>
> When acting as a smtp server I mananged to realize this through:
>
> acl_check_mail:
> deny !encrypted = *
> message = TLS required
>
> But, as I see it there are no access control lists (acl) for exim when
> running as a client. Correct, or is this they way to do it?
ACLs apply to incoming email.
What you want is to add "hosts_require_tls" to your SMTP transport as
detailed on this page:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html
E.g:
remote_smtp:
driver = smtp
hosts_require_tls = smarthost1.example.com : smarthost2.example.com
This wont do certificate verification though so is still susceptible to
a MITM attack. For that you want to use the tls_verify_certificates
option which is detailed on the same page.
Further information about TLS can be found at:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
