Re: [exim] using port 587 for submission?

Am 03.09.2015 um 15:37 schrieb Jeremy Harris:
> On 03/09/15 14:17, hw wrote:
>> server_advertise_condition = ${if def:tls_cipher }
>
> Ah, not quite. This option explicitly needs a string result
> to activate:
>
> server_advertise_condition = ${if def:tls_cipher {yes}{no}}

Thanks, I changed that. The LOGIN authenticator is now configured, too.

>> After making /etc/shadow readable by the mail group, it kinda works. Is
>> it really necessary to change permission on /etc/shadow?
>
> Where in the processing flow does it fail without that change?

It fails when I set the MUA to use STARTTLS and "normal password"
authentication.

>> "Kinda works" means that I can now send messages via port 587 without
>> any authentication at all, with unencrypted authentication and when
>> using STARTTLS. Authentication and encryption must be required, though.
>
> So now you need to block 587 to non-auth'd use. Do that in your
> mail-from ACL.

Not acl_smtp_mailauth? I tried in acl_check_helo and only was rejected
all the time.

Why is this so awfully difficult and painful? I've been dreading it for
years ...