All clients are Linux clients and EXIM server is a relay with serveral
source IPs . No usernames/password exchanges in AUTH time.
On Thu, Jul 16, 2015 at 11:31 AM, Viktor Dukhovni <exim-users@???>
wrote:
> On Thu, Jul 16, 2015 at 11:17:54AM -0400, 3YSTech Services wrote:
>
> > added exactly that to conf file and still passes unencrypted smtp
> > connections.
>
> The logical thing to do is to restrict SASL authentication to TLS,
> and also require SASL authentication.
>
> I assume it is possible in Exim to only offer "AUTH" after STARTTLS,
> in which case do that first. Then only allow relaying for SASL
> authenticated clients (without accidentally enforcing SASL auth
> for inbound mail addressed to your own domains).
>
> Basically mimic the equivalent of the Postfix:
>
> # Allow SASL auth only for TLS encrypted channels
> #
> smtpd_tls_auth_only = yes
>
> # Allow relaying only for SASL authenticated clients
> #
> smtpd_relay_restrictions =
> permit_sasl_authenticated,
> reject_unauth_destination
>
> [ The above just illustrates the problem decomposion in a form
> most familiar to me. I am not here to advocate for Postfix. ]
>
> --
> Viktor.
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
