Re: [exim] Restrict email relay to TLS

Top Page
Delete this message
Reply to this message
Author: 3YSTech Services
Date:  
To: Ian Eiloart
CC: Exim-users@exim.org
Subject: Re: [exim] Restrict email relay to TLS
added exactly that to conf file and still passes unencrypted smtp
connections.

acl_smtp_auth = check_auth



check_auth:
  accept encrypted = *
  accept condition = ${if eq{${uc:$smtp_command_argument}}\
              {CRAM-MD5}{yes}{no}}
  deny   message   = TLS encryption or CRAM-MD5 required




When I added ACL below , got error administratively prohibited

 accept
        authenticated = *
        encrypted = *
 deny




On Thu, Jul 16, 2015 at 7:23 AM, Ian Eiloart <iane@???> wrote:

>
> > On 15 Jul 2015, at 19:54, 3YSTech Services <3ystechservices@???>
> wrote:
> >
> > Hi ,
> >
> > I am trying to secure my EXIM servers , was wondering how I can
> accomplish
> > the following:
> >
> > - Restrict email relay to TLS and reject none TLS connections.
>
> It’s got to be authenticated, not just encrypted.
>
> We use:
> acl_smtp_auth = check_auth
> ...
> check_auth:
>   accept encrypted = *
>   accept condition = ${if eq{${uc:$smtp_command_argument}}\
>               {CRAM-MD5}{yes}{no}}
>   deny   message   = TLS encryption or CRAM-MD5 required

>
> To make sure plain authentication isn’t attempted in the clear.
>
> In the check recipient ACL, you can say:
>
>  accept
>         authenticated = *
>         encrypted = *
>  deny

>
> > - Use port 587 for client TLS connections back to VIP then to servers.
>
> We use separate processes for MX and MSA, with separate configurations.
> You can use .includes for common parts, but we don’t actually do that.
>
> > - Restrict mail inflow to port 25 and 465 if possible.
>
> Port 25 is sufficient. Port 465 should be treated like port 587: for
> message submission by authenticated clients. However, it might not be
> necessary to offer port 465 these days. All modern clients will default to
> port 587. 465 was never a standard, but it was used by some MS clients.
> Having said that, I have a lot of authenticated connections on 465, so I
> may be being optimistic here.
>
> > *Current Setup :*
> >
> > - I do relay by IP and have VIP SSL installed locally on each EXIM
> server.
> >
> > - I connect from Linux clients using mailx -S smtp-use-starttls.
> >
> > - I have tried all settings below and still EXIM relay email without TLS
> >
> > daemon_smtp_ports          = 25 : 465 : 587
> > tls_advertise_hosts            = *
> > tls_on_connect_ports         =      465 : 587

>
> This should be 465 only. The difference is that, on port 587, the
> connection is in the clear, then TLS is negotiated during the SMTP session.
> This gives you more control over how the TLS is negotiated. Port 587 should
> always use SSL/TLS, but 587 will only use it when negotiated. Therefore,
> for port 587, you need to enforce negotiation in your config, as I’ve
> described above.
>
> >
> > auth_advertise_hosts = localhost : ${if eq{$tls_cipher}{}{no}{*}}
> > server_advertise_condition = ${if eq{$tls_in_cipher}{}{no}{yes}}
> > hosts_require_tls = *
>
> Don’t use this. You’ll lose inbound email from servers that don’t encrypt.
>
> > acl_check_rcpt:
> >
> > deny ! hosts         =  : +relay_from_hosts
> >     ! authenticated = *

> >
> >
> > Your response is appreciated
> >
> > Thanks
> > --
> > ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://wiki.exim.org/
>
>