Re: [exim] Restrict email relay to TLS

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Restrict email relay to TLS
On Thu, Jul 16, 2015 at 11:35:18AM -0400, 3YSTech Services wrote:

> All clients are Linux clients and EXIM server is a relay with serveral
> source IPs . No usernames/password exchanges in AUTH time.


So your clients are granted relay access via an IP address based
ACL? And you want to make sure that such clients MUST use TLS?

A Postfix prototype would be:

    smtpd_relay_restrictions =
    # Allow inbound mail to our own domains.
    #
    permit_auth_destination,
    # Require TLS
    #
    reject_plaintext_session,
    # Allow clients from trusted networks.
    #
    permit_mynetworks,
    # If desired also allow SASL authenticated clients,
    # by uncommenting the next line:
    #
    # permit_sasl_authenticated
    #
    # Close the relay for all other clients
    #
    reject


Exim is considerably more flexible, so perhaps you can do
something along similar lines. That is, once you've determined
that the mail is not inbound, reject if not TLS, permit if
client network (and perhaps SASL) is authorized, finally reject
otherwise.

-- 
    Viktor.