> From: AC
>
> I'm trying to figure out how to set up exim to use authentication on
> outgoing messages for one port and use unauthenticated otherwise. The
> current configuration accepts connections on port 25 and allows relays
> from internal networks to the outside so that internal clients can send
> outbound. The internal machines that also happen to run exim use the
> server as a smarthost (a few other machines with only mail clients use
> the relay function). I want to leave that portion working as is but
> open up an additional port for SSL/TLS authenticated sending so that
> clients outside of the internal network can send email through this server.
daemon_smtp_ports = 25 : 587 : 465
tls_on_connect = 465
tls_advertise_hosts = *
tls_certificate = /etc/ssl/exim.crt
tls_privatekey = /etc/ssl/exim.pem
In default config, acl_check_rcpt contains two "accept" paragraphs:
one with "hosts = +relay_from_hosts" and another with "authenticated = *".
That's enough.
If your port 25 were open from outside of the internal network then
you might forbid authentication for port 25 in that another paragraph
like this:
accept authenticated = *
condition = ${if !={$received_port}{25}}
control = submission/domain=
but that'd not stop ougoing spam because WIndows trojans steal
port number along with username, password and hostname.
In order to catch outgoing spam, use
https://github.com/Exim/exim/wiki/BlockCracking
You can forbid unencrypted authentication: in each of two
authenticators PLAIN and LOGIN insert the line:
server_advertise_condition = ${if def:tls_cipher}
But some of your users' mail clients may not support encryption.