Re: [exim] deny non-encrypted client connections (smarthost)

Top Page
Delete this message
Reply to this message
Author: Neustadt
Date:  
CC: exim-users
Subject: Re: [exim] deny non-encrypted client connections (smarthost)
Am 23.08.2013 13:31, schrieb Ian Eiloart:
>
> On 22 Aug 2013, at 22:01, Neustadt <neustadt@???>
> wrote:
>
>> I would like to know if there is a way to deny non encrypted connections when exim connects as a client to a smtp-relay/smarthost.
>
> As others have said, hosts_require_TLS = * will do this. However, that may leave you unable to connect to many hosts. Messages for any host that does not advertise STARTTLS will not be delivered.
>
> You may be OK with that, but it's also worth knowing that Exim will, by default, use TLS if it's advertised. However, if the TLS setup doesn't work, then Exim will fall back to unencrypted delivery. You can prevent that fallback by setting tls_tempfail_tryclear to true: if the recipient's MX servers *all* advertise STARTTLS, then you'll get an encrypted delivery (if the TLS is working on one of the hosts) or none at all.
>


Hi,

I didnt understand this part of yours:

> if the recipient's MX servers *all* advertise STARTTLS, then you'll
> get an encrypted delivery (if the TLS is working on one of the hosts)
> or none at all.


especially what you wrote in brackets. Are you saying I can ensure that
mails get encrypted through all passing relays until they can reach
their destination with tls_tempfail_tryclear?

Otherwise I don't see any difference to unsing hosts_require_TLS =
MY.SMTP.RELAY

By the way. Is there a way to create own variables that can be used
across different exim config files?
Would be neat to not have it my smtp relays specified twice, once in
exim4.conf.template and once in update-exim4.conf.conf

Regards
Adrian