Re: [exim] Restrict email relay to TLS

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Viktor Dukhovni
Date:  
À: exim-users
Sujet: Re: [exim] Restrict email relay to TLS
On Thu, Jul 16, 2015 at 11:17:54AM -0400, 3YSTech Services wrote:

> added exactly that to conf file and still passes unencrypted smtp
> connections.


The logical thing to do is to restrict SASL authentication to TLS,
and also require SASL authentication.

I assume it is possible in Exim to only offer "AUTH" after STARTTLS,
in which case do that first. Then only allow relaying for SASL
authenticated clients (without accidentally enforcing SASL auth
for inbound mail addressed to your own domains).

Basically mimic the equivalent of the Postfix:

    # Allow SASL auth only for TLS encrypted channels
    #
    smtpd_tls_auth_only = yes


    # Allow relaying only for SASL authenticated clients
    #
    smtpd_relay_restrictions =
    permit_sasl_authenticated,
    reject_unauth_destination


[ The above just illustrates the problem decomposion in a form
most familiar to me. I am not here to advocate for Postfix. ]

-- 
    Viktor.