Re: [exim] Encrypted for Some, Plain for the Rest

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Encrypted for Some, Plain for the Rest
Terrance Devor <ter.devor@???> (So 30 Aug 2015 23:31:02 CEST):
> > done
> > > over SSL/TLS port 465. Attempts to pass username and password over port
> > > 25 will result in deny, error message returned to the MTA, and log
> >
> > 465 is deprecated, use 587 and STARTTLS. Read about
> > 'server_advertise_conition' to avoid advertising AUTH on unencrypted
> > connections.
> >
>
> Understood. Will start moving everything over to port 587. Will I need to
> rebuild my SSL certificates and reconfigure for that as well?


You can use the same SSL certificates. Moving to port 587 isn't a big
deal. And you may offer services on 465 for legacy clients, if you need.

    daemon_smtp_ports = 25 : 465 : 587
    tls_on_connect_ports = 465


> > > 2) When relaying
> > >
> > > Assume our local domain is example.com
> > >
> > > (i) user1@???    ----> (465)  Exim  (465) ------>
> > user2@???
> > > (ii) user1@???    ----> (465)  Exim  (25) ------>
> > > ter.devor@??? etc...
> > > (iii) ter.devor@??? ------> (25)    Exim  (465) ------>
> > > user1@???

> >
> > You do not want to relay vom anywhere to anywhere, do you?
>
> Exactlly, we do not. And if an individual from outside tries to relay to
> another outside email address than obviously this denied. A klnd of black
> list by means of process separation.
>
> > Accepting messages from outside should be done for your very own domain
> > only, here for example.com. Exceptions are possible, in case you know
> > what you're doing :)
>
> There will be no relaying of outside domain emails to other outside emails.
> Only valid internal.


It seems you can just use the ACL from the default configuration file as
shipped with Exim (named example.conf). It contains default settings and
works out of the box. The default ACLs are safe, as long as you follow
the intentions for the lists local_domains, relay_to_tomains,
relay_from_hosts, set near the beginning of the example configuration.

In your case, you'll need to modify the
'authenticators' section, though.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -