Re: [exim] using port 587 for submission?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: hw
Date:  
À: Jasper Wallace
CC: exim-users
Sujet: Re: [exim] using port 587 for submission?
Jasper Wallace wrote:
> On Thu, 3 Sep 2015, hw wrote:
>
>>
>>
>> Am 03.09.2015 um 15:37 schrieb Jeremy Harris:
>>> On 03/09/15 14:17, hw wrote:
>>>> server_advertise_condition = ${if def:tls_cipher }
>>>
>>> Ah, not quite. This option explicitly needs a string result
>>> to activate:
>>>
>>> server_advertise_condition = ${if def:tls_cipher {yes}{no}}
>>
>> Thanks, I changed that. The LOGIN authenticator is now configured, too.
>>
>>>> After making /etc/shadow readable by the mail group, it kinda works. Is
>>>> it really necessary to change permission on /etc/shadow?
>>>
>>> Where in the processing flow does it fail without that change?
>>
>> It fails when I set the MUA to use STARTTLS and "normal password"
>> authentication.
>>
>>>> "Kinda works" means that I can now send messages via port 587 without
>>>> any authentication at all, with unencrypted authentication and when
>>>> using STARTTLS. Authentication and encryption must be required, though.
>>>
>>> So now you need to block 587 to non-auth'd use. Do that in your
>>> mail-from ACL.
>>
>> Not acl_smtp_mailauth? I tried in acl_check_helo and only was rejected all
>> the time.
>
> Near the top of my acl_check_rcpt I have:
>
>    accept  authenticated = *
>       control       = submission


Thanks! I figured it out:


* in acl_check_rcpt:
+ accept mail from authenticated for relaying
+ reject all hosts using connections on 587 without TLS
+ as before, accept mail from all the hosts the server is relaying for

* in acl_check_mail:
+ deny everything on 587 unless TLS is used


The latter goes like this:


acl_check_mail:

   deny condition      = ${if and{{eq{$received_port}{587}} {! 
def:tls_cipher} } }
        message        = TLS is required


accept


At least I think this is sane and safe enough. Is it?

Hmmm ... It's a quite weird logic when you think about it, and anything
but straightforward. The requirement for authentication is merely
implicit. Shouldn't there be a better way to do this? Is there? I'm
not exactly fond of convoluted stuff like this.