Re: [exim] Restrict email relay to TLS

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: 3YSTech Services
CC: Exim-users@exim.org
Subject: Re: [exim] Restrict email relay to TLS

> On 15 Jul 2015, at 19:54, 3YSTech Services <3ystechservices@???> wrote:
>
> Hi ,
>
> I am trying to secure my EXIM servers , was wondering how I can accomplish
> the following:
>
> - Restrict email relay to TLS and reject none TLS connections.


It’s got to be authenticated, not just encrypted.

We use:
acl_smtp_auth = check_auth
...
check_auth:
  accept encrypted = *
  accept condition = ${if eq{${uc:$smtp_command_argument}}\
              {CRAM-MD5}{yes}{no}}
  deny   message   = TLS encryption or CRAM-MD5 required

To make sure plain authentication isn’t attempted in the clear.

In the check recipient ACL, you can say:

 accept
        authenticated = *
        encrypted = *
 deny

> - Use port 587 for client TLS connections back to VIP then to servers.


We use separate processes for MX and MSA, with separate configurations. You can use .includes for common parts, but we don’t actually do that.

> - Restrict mail inflow to port 25 and 465 if possible.


Port 25 is sufficient. Port 465 should be treated like port 587: for message submission by authenticated clients. However, it might not be necessary to offer port 465 these days. All modern clients will default to port 587. 465 was never a standard, but it was used by some MS clients. Having said that, I have a lot of authenticated connections on 465, so I may be being optimistic here.

> *Current Setup :*
> 
> - I do relay by IP and have VIP SSL installed locally on each EXIM server.
> 
> - I connect from Linux clients using mailx -S smtp-use-starttls.
> 
> - I have tried all settings below and still EXIM relay email without TLS
> 
> daemon_smtp_ports          = 25 : 465 : 587
> tls_advertise_hosts            = *
> tls_on_connect_ports         =      465 : 587


This should be 465 only. The difference is that, on port 587, the connection is in the clear, then TLS is negotiated during the SMTP session. This gives you more control over how the TLS is negotiated. Port 587 should always use SSL/TLS, but 587 will only use it when negotiated. Therefore, for port 587, you need to enforce negotiation in your config, as I’ve described above.

>
> auth_advertise_hosts = localhost : ${if eq{$tls_cipher}{}{no}{*}}
> server_advertise_condition = ${if eq{$tls_in_cipher}{}{no}{yes}}
> hosts_require_tls = *


Don’t use this. You’ll lose inbound email from servers that don’t encrypt.

> acl_check_rcpt:
> 
> deny ! hosts         =  : +relay_from_hosts
>     ! authenticated = *
> 
> 
> Your response is appreciated
> 
> Thanks
> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/