added exactly that to conf file and still passes unencrypted smtp
connections.
acl_smtp_auth = check_auth
check_auth:
accept encrypted = *
accept condition = ${if eq{${uc:$smtp_command_argument}}\
{CRAM-MD5}{yes}{no}}
deny message = TLS encryption or CRAM-MD5 required
When I added ACL below , got error administratively prohibited
accept
authenticated = *
encrypted = *
deny
On Thu, Jul 16, 2015 at 7:23 AM, Ian Eiloart <iane@???> wrote:
>
> > On 15 Jul 2015, at 19:54, 3YSTech Services <3ystechservices@???>
> wrote:
> >
> > Hi ,
> >
> > I am trying to secure my EXIM servers , was wondering how I can
> accomplish
> > the following:
> >
> > - Restrict email relay to TLS and reject none TLS connections.
>
> It’s got to be authenticated, not just encrypted.
>
> We use:
> acl_smtp_auth = check_auth
> ...
> check_auth:
> accept encrypted = *
> accept condition = ${if eq{${uc:$smtp_command_argument}}\
> {CRAM-MD5}{yes}{no}}
> deny message = TLS encryption or CRAM-MD5 required
>
> To make sure plain authentication isn’t attempted in the clear.
>
> In the check recipient ACL, you can say:
>
> accept
> authenticated = *
> encrypted = *
> deny
>
> > - Use port 587 for client TLS connections back to VIP then to servers.
>
> We use separate processes for MX and MSA, with separate configurations.
> You can use .includes for common parts, but we don’t actually do that.
>
> > - Restrict mail inflow to port 25 and 465 if possible.
>
> Port 25 is sufficient. Port 465 should be treated like port 587: for
> message submission by authenticated clients. However, it might not be
> necessary to offer port 465 these days. All modern clients will default to
> port 587. 465 was never a standard, but it was used by some MS clients.
> Having said that, I have a lot of authenticated connections on 465, so I
> may be being optimistic here.
>
> > *Current Setup :*
> >
> > - I do relay by IP and have VIP SSL installed locally on each EXIM
> server.
> >
> > - I connect from Linux clients using mailx -S smtp-use-starttls.
> >
> > - I have tried all settings below and still EXIM relay email without TLS
> >
> > daemon_smtp_ports = 25 : 465 : 587
> > tls_advertise_hosts = *
> > tls_on_connect_ports = 465 : 587
>
> This should be 465 only. The difference is that, on port 587, the
> connection is in the clear, then TLS is negotiated during the SMTP session.
> This gives you more control over how the TLS is negotiated. Port 587 should
> always use SSL/TLS, but 587 will only use it when negotiated. Therefore,
> for port 587, you need to enforce negotiation in your config, as I’ve
> described above.
>
> >
> > auth_advertise_hosts = localhost : ${if eq{$tls_cipher}{}{no}{*}}
> > server_advertise_condition = ${if eq{$tls_in_cipher}{}{no}{yes}}
> > hosts_require_tls = *
>
> Don’t use this. You’ll lose inbound email from servers that don’t encrypt.
>
> > acl_check_rcpt:
> >
> > deny ! hosts = : +relay_from_hosts
> > ! authenticated = *
> >
> >
> > Your response is appreciated
> >
> > Thanks
> > --
> > ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://wiki.exim.org/
>
>
