> On 16 Jul 2015, at 16:35, 3YSTech Services <3ystechservices@???> wrote:
>
> All clients are Linux clients and EXIM server is a relay with serveral
> source IPs . No usernames/password exchanges in AUTH time.
Oh, OK. Try looking under T:TLS:require… at
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html
> On Thu, Jul 16, 2015 at 11:31 AM, Viktor Dukhovni <exim-users@???>
> wrote:
>
>> On Thu, Jul 16, 2015 at 11:17:54AM -0400, 3YSTech Services wrote:
>>
>>> added exactly that to conf file and still passes unencrypted smtp
>>> connections.
>>
>> The logical thing to do is to restrict SASL authentication to TLS,
>> and also require SASL authentication.
>>
>> I assume it is possible in Exim to only offer "AUTH" after STARTTLS,
>> in which case do that first. Then only allow relaying for SASL
>> authenticated clients (without accidentally enforcing SASL auth
>> for inbound mail addressed to your own domains).
>>
>> Basically mimic the equivalent of the Postfix:
>>
>> # Allow SASL auth only for TLS encrypted channels
>> #
>> smtpd_tls_auth_only = yes
>>
>> # Allow relaying only for SASL authenticated clients
>> #
>> smtpd_relay_restrictions =
>> permit_sasl_authenticated,
>> reject_unauth_destination
>>
>> [ The above just illustrates the problem decomposion in a form
>> most familiar to me. I am not here to advocate for Postfix. ]
>>
>> --
>> Viktor.
>>
>> --
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
