Re: [exim] using port 587 for submission?

On 07/09/15 12:10, hw wrote:

>> - support 25, 587, 465/ssl-on-connect
> Port 25 is for the "normal" traffic, i. e. incoming messages from hosts
> on the LAN
> and from MTAs in the outside world. Optionally, TLS can be used on 25.
> Should I relay imcoming messages from authenticated sources on port 25,
> too?

It's up to you. Consider also if you need to auth any internal
relay hosts, and how you define a user in those cases...


>> - in rcpt acl, require auth for any nonlocal destination (relaying)
>>
>> ... and not support any by-IP implicit authentication at all.
>> If forced, bundle with the "real" auth check.
>
> Hm. Require authentication (on port 25) after it has been determined
> that the message
> would not be delivered locally?

Yup, but just authentication (port irrelevant)

>
> That could be useful. Currently, there is a check in place that denies
> delivery to non-local
> domains for all sender addresses which are not listed in a file. Of
> course, someone could
> cheat their way around that by specifying a sender address for which
> relaying is allowed.

That's ugly


> If I could make it so that the sender address must match the email
> address of the user who
> has authenticated, nobody could cheat unless they somehow get username
> and password
> of a user for which relaying is allowed.

You could, but what when person authenticating is legitimately
sending mail for someone else (eg. a secretary)? What when a
sender is using an alternate persona (eg. their Gmail account name
as a sender-address)?

>
> How would I do this?

Depends what strings you use as the auth "name". I use the entire
account name, so it's a straight compare of the appropriate variables.



> The LOGIN authenticator doesn't seem to be needed. All I'm seeing in
> the log file
> is that PLAIN is used. Perhaps I should disable the LOGIN one?

Different MUAs use different plaintext variants. It costs little to
leave it supported.
--
Cheers,
Jeremy