Re: [exim] using port 587 for submission?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
Mhw at <-
MIan Eiloart at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] using port 587 for submission?
On 04/09/15 17:22, hw wrote:
> * in acl_check_rcpt:
> + accept mail from authenticated for relaying
> + reject all hosts using connections on 587 without TLS
> + as before, accept mail from all the hosts the server is relaying for
>
> * in acl_check_mail:
> + deny everything on 587 unless TLS is used

> Hmmm ... It's a quite weird logic when you think about it, and anything
> but straightforward. The requirement for authentication is merely
> implicit. Shouldn't there be a better way to do this? Is there? I'm
> not exactly fond of convoluted stuff like this.

I would:

- support 25, 587, 465/ssl-on-connect
- in authenticators, only offer auth when encrypted
- in mail acl, deny 587 unless encrypted (could go in rcpt but earlier
is better)
- in rcpt acl, require auth for any nonlocal destination (relaying)

... and not support any by-IP implicit authentication at all.
If forced, bundle with the "real" auth check.


Note that I don't support cram_md5 auth, where there's a better
argument for permitting non-TLS'd auth. Also, the above doesn't
enforce that road-warriors encrypt (they might have to use 25 to
get through...). I've not mentioned auth-by-user-certificate,
which is another possibility from 4.86 on.
--
Cheers,
Jeremy


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] replacement / supplement for localuser - Unknown UserRe: [exim] Problem with logging of the delivery under Ubuntu->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)