Re: [exim] Restrict email relay to TLS

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: Exim Users
Subject: Re: [exim] Restrict email relay to TLS

> On 16 Jul 2015, at 16:35, 3YSTech Services <3ystechservices@???> wrote:
>
> All clients are Linux clients and EXIM server is a relay with serveral
> source IPs . No usernames/password exchanges in AUTH time.


Oh, OK. Try looking under T:TLS:require… at

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html



> On Thu, Jul 16, 2015 at 11:31 AM, Viktor Dukhovni <exim-users@???>
> wrote:
> 
>> On Thu, Jul 16, 2015 at 11:17:54AM -0400, 3YSTech Services wrote:
>> 
>>> added exactly that to conf file and still passes unencrypted smtp
>>> connections.
>> 
>> The logical thing to do is to restrict SASL authentication to TLS,
>> and also require SASL authentication.
>> 
>> I assume it is possible in Exim to only offer "AUTH" after STARTTLS,
>> in which case do that first.  Then only allow relaying for SASL
>> authenticated clients (without accidentally enforcing SASL auth
>> for inbound mail addressed to your own domains).
>> 
>> Basically mimic the equivalent of the Postfix:
>> 
>>    # Allow SASL auth only for TLS encrypted channels
>>    #
>>    smtpd_tls_auth_only = yes
>> 
>>    # Allow relaying only for SASL authenticated clients
>>    #
>>    smtpd_relay_restrictions =
>>        permit_sasl_authenticated,
>>        reject_unauth_destination
>> 
>> [ The above just illustrates the problem decomposion in a form
>>  most familiar to me.  I am not here to advocate for Postfix. ]
>> 
>> --
>>        Viktor.
>> 
>> --
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>> 
> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/