Re: [exim] Exim4 + fixed_cram

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Exim4 + fixed_cram
Hi,

basti <mailinglist@???> (Do 23 Jan 2014 15:46:09 CET):
> I'm more confused then ever.
>
> On the IMAP side of my Mailsystem is use
>
> PORT 993
> SSL/TLS with Encrypted password
>
> user@machine:~$ openssl s_client -connect myserver.de:993 -showcerts
> CONNECTED(00000003)
>
> **** SSl stuff ****
>
> ---
> * OK [CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
> THREAD=REFERENCES SORT AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE ACL ACL2=UNION]
> Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See
> COPYING for distribution information.
> ^C
>
> I want to use the same on SMTP/Exim side of my Mailsystem.
> Which technique do you prefer for:
>
> port 25/465 or 587
> SSL/TLS with Encrypted password


     25/smtp  is for MTA -> MTA communication
              TLS depends on the options offered by the receiving
              and the options choosen by the sending side, thus
              is part of the SMTP protocol (command STARTTLS)


    465/smtps is used by some excotic (?) MUAs for message submission
              TLS is negotiated on prior to the start of the
              SMTP protocol


    587/submission
              is for MUA -> MTA communication
              TLS depends on the options offered by the receiving
              and the options choosen by the sending side, thus
              is part of the SMTP protocol (command STARTTLS)


For SMTP TLS is a nice to have, I'd say.
For message submission I'd say you've no option, I'd always enforce the
use of STARTTLS befor authentication.

What you see on port 993 is "tls-on-connect", that is: TCP | TLS | IMAP

For SMTP you want to use port 465 for that. (Better: you do not want
this tls-on-connect at all! It's not standard.)

For SMTP it's up to you to drop the connection if you see 'rcpt to'
without having TLS established first. The same holds for submission,
where I would not offer AUTH without having TLS set up.

The '${if def:tls_cipher}' is a useful expansion:

    begin acl


        acl_check_rcpt:




        accept domains = +local_domains : +relay_to_domains
               local_parts = postmaster : abuse


        require message = we accept tls connections only
                condition = ${if def:tls_cipher}




    begin auth
        …
        server_advertise_condition = ${if def:tls_cipher}


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-