On Thu, Jul 16, 2015 at 11:17:54AM -0400, 3YSTech Services wrote:
> added exactly that to conf file and still passes unencrypted smtp
> connections.
The logical thing to do is to restrict SASL authentication to TLS,
and also require SASL authentication.
I assume it is possible in Exim to only offer "AUTH" after STARTTLS,
in which case do that first. Then only allow relaying for SASL
authenticated clients (without accidentally enforcing SASL auth
for inbound mail addressed to your own domains).
Basically mimic the equivalent of the Postfix:
# Allow SASL auth only for TLS encrypted channels
#
smtpd_tls_auth_only = yes
# Allow relaying only for SASL authenticated clients
#
smtpd_relay_restrictions =
permit_sasl_authenticated,
reject_unauth_destination
[ The above just illustrates the problem decomposion in a form
most familiar to me. I am not here to advocate for Postfix. ]
--
Viktor.
