Autor: Jeremy Harris Datum: To: exim-users Betreff: Re: [exim] using port 587 for submission?
On 04/09/15 17:22, hw wrote: > * in acl_check_rcpt:
> + accept mail from authenticated for relaying
> + reject all hosts using connections on 587 without TLS
> + as before, accept mail from all the hosts the server is relaying for
>
> * in acl_check_mail:
> + deny everything on 587 unless TLS is used > Hmmm ... It's a quite weird logic when you think about it, and anything
> but straightforward. The requirement for authentication is merely
> implicit. Shouldn't there be a better way to do this? Is there? I'm
> not exactly fond of convoluted stuff like this.
I would:
- support 25, 587, 465/ssl-on-connect
- in authenticators, only offer auth when encrypted
- in mail acl, deny 587 unless encrypted (could go in rcpt but earlier
is better)
- in rcpt acl, require auth for any nonlocal destination (relaying)
... and not support any by-IP implicit authentication at all.
If forced, bundle with the "real" auth check.
Note that I don't support cram_md5 auth, where there's a better
argument for permitting non-TLS'd auth. Also, the above doesn't
enforce that road-warriors encrypt (they might have to use 25 to
get through...). I've not mentioned auth-by-user-certificate,
which is another possibility from 4.86 on.
--
Cheers,
Jeremy