Re: [exim] Best/correct way to disable AUTH on port 25?

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-users
Temat: Re: [exim] Best/correct way to disable AUTH on port 25?
Sebastian Arcus via Exim-users <exim-users@???> (Di 26 Dez 2017 22:28:03 CET):
> What is the simplest and best way to disable any AUTH on port 25? Up until
> now I have the following working:
>
> 1. Only advertise TLS on port 587:
>
>     auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}


I'm confused. This line doesn't do anything with TLS advertisement.
You can modify it into

    auth_advertise_hosts = ${if and{ \
                                    =={$received_port}{587} \
                                    def:tls_in_cipher \
                                } \
                            {*}}


(untested)

> 2. Disable authenticated connections without TLS:
>
> acl_check_auth
>
>   deny message      = TLS required on authenticated connections
>        ! encrypted   = *

>
> However, I just realised that this disables opportunistic TLS in the SMTP
> transport (server to server).


Currently I do not see, why this should disable TLS connections.

> Could I use something like server_advertise_condition instead to only
> advertise AUTH on port 587 (and if yes, will that disallow AUTH on 25
> completely, not just not advertise it?



I use in the authenticator block(s)

    server_advertise_condition = ${if and{ \
                                    =={$received_port}{587}} \
                                    def:tls_in_cipher \
                                  }}


(untested, can't access the the reference system just now)


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -