Author: hw Date: To: exim-users Subject: Re: [exim] using port 587 for submission?
Am 03.09.2015 um 15:37 schrieb Jeremy Harris: > On 03/09/15 14:17, hw wrote:
>> server_advertise_condition = ${if def:tls_cipher }
>
> Ah, not quite. This option explicitly needs a string result
> to activate:
>
> server_advertise_condition = ${if def:tls_cipher {yes}{no}}
Thanks, I changed that. The LOGIN authenticator is now configured, too.
>> After making /etc/shadow readable by the mail group, it kinda works. Is
>> it really necessary to change permission on /etc/shadow?
>
> Where in the processing flow does it fail without that change?
It fails when I set the MUA to use STARTTLS and "normal password"
authentication.
>> "Kinda works" means that I can now send messages via port 587 without
>> any authentication at all, with unencrypted authentication and when
>> using STARTTLS. Authentication and encryption must be required, though.
>
> So now you need to block 587 to non-auth'd use. Do that in your
> mail-from ACL.
Not acl_smtp_mailauth? I tried in acl_check_helo and only was rejected
all the time.
Why is this so awfully difficult and painful? I've been dreading it for
years ...