Re: [exim] Restrict email relay to TLS

Top Page
Delete this message
Reply to this message
Author: 3YSTech Services
Date:  
To: exim-users
Subject: Re: [exim] Restrict email relay to TLS
All clients are Linux clients and EXIM server is a relay with serveral
source IPs . No usernames/password exchanges in AUTH time.

On Thu, Jul 16, 2015 at 11:31 AM, Viktor Dukhovni <exim-users@???>
wrote:

> On Thu, Jul 16, 2015 at 11:17:54AM -0400, 3YSTech Services wrote:
>
> > added exactly that to conf file and still passes unencrypted smtp
> > connections.
>
> The logical thing to do is to restrict SASL authentication to TLS,
> and also require SASL authentication.
>
> I assume it is possible in Exim to only offer "AUTH" after STARTTLS,
> in which case do that first. Then only allow relaying for SASL
> authenticated clients (without accidentally enforcing SASL auth
> for inbound mail addressed to your own domains).
>
> Basically mimic the equivalent of the Postfix:
>
>     # Allow SASL auth only for TLS encrypted channels
>     #
>     smtpd_tls_auth_only = yes

>
>     # Allow relaying only for SASL authenticated clients
>     #
>     smtpd_relay_restrictions =
>         permit_sasl_authenticated,
>         reject_unauth_destination

>
> [ The above just illustrates the problem decomposion in a form
> most familiar to me. I am not here to advocate for Postfix. ]
>
> --
>         Viktor.

>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>