Re: [exim] Exim4 + fixed_cram

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Heiko Schlittermann
Datum:  
To: exim-users
Betreff: Re: [exim] Exim4 + fixed_cram
basti <mailinglist@???> (Fr 24 Jan 2014 11:24:27 CET):
> Hello,
> when I enable
>
> On 23.01.2014 16:16, Heiko Schlittermann wrote:
> >  require message = we accept tls connections only
> >                 condition = ${if def:tls_cipher}

>
> other mail server (arcor, greatnet, ...) can't connect to the server.


Of cause. I didn't advise it :) It was just there as an example, how you
can force the sending MTA to use TLS. Not all MTAs can be forced… For
that to work we've to wait until some of the BIG mail hosters requires
incoming MTA communication to use TLS.

> And when I use PLAIN in my Thunderbird settings I get a
> "RELAY NOT PERMITTED", I think it is caused by
>
> begin auth
>      server_advertise_condition = ${if def:tls_cipher}


You need to enable encrypted connections in your MUA.
Normally I select 'always use TLS' and direct the connections to port
587 (Submission).

>
> Is there a way to say:
>
> MTA -> MTA communication is PLAIN
> MUA -> MTA musst be SSL


The relevant portions of the config are (not cross checked with the spec
file, this I may be wrong with the naming of some options.)
(Our real world configs look a bit more complicated, but this should be
a good starting point for you own configuration.)

    # global
    daemon_smtp_ports = 25 : 465 : 587
    tls_on_connect_ports = 465
    acl_smtp_mail = acl_check_mail
    acl_smtp_rcpt = acl_check_rcpt


    # acl
    begin acl


        acl_check_mail:


            # on port 25 mostly MTA will talk to us, they can't
            # authenticate, we have to accept the MAIL FROM
            accept  condition = ${if eq{$interface_port}{25}}


            # The other ports 465 and 587 are for MUAs, the are expected
            # to authenticate
            accept  authenticated = *
            deny    message = please authenticate first


        acl_check_rcpt:


            # you will have lots of othere checks (dnsrbl,
            # recipient/sender verification, …
            accept  authenticated = *
            accept  domains = +local_domains : +relay_to_domains
            deny    message = relaying denied, please authenticate first


    begin authenticators


        plain:
            …
            # authentication is only advertised if the session
            # is secure
            server_advertise_condition = ${if def:tls_cipher}


            # if I do not want authentication on port 25:
            #                            ${if and{{def:tls_cipher}{ !eq{$interface_port}{25} }}}



    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-