Sebastian Arcus via Exim-users <exim-users@???> (Di 26 Dez 2017 22:28:03 CET):
> What is the simplest and best way to disable any AUTH on port 25? Up until
> now I have the following working:
>
> 1. Only advertise TLS on port 587:
>
> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
I'm confused. This line doesn't do anything with TLS advertisement.
You can modify it into
auth_advertise_hosts = ${if and{ \
=={$received_port}{587} \
def:tls_in_cipher \
} \
{*}}
(untested)
> 2. Disable authenticated connections without TLS:
>
> acl_check_auth
>
> deny message = TLS required on authenticated connections
> ! encrypted = *
>
> However, I just realised that this disables opportunistic TLS in the SMTP
> transport (server to server).
Currently I do not see, why this should disable TLS connections.
> Could I use something like server_advertise_condition instead to only
> advertise AUTH on port 587 (and if yes, will that disallow AUTH on 25
> completely, not just not advertise it?
I use in the authenticator block(s)
server_advertise_condition = ${if and{ \
=={$received_port}{587}} \
def:tls_in_cipher \
}}
(untested, can't access the the reference system just now)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
