Re: [exim] Best/correct way to disable AUTH on port 25?

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Best/correct way to disable AUTH on port 25?
On 26/12/17 21:28, Sebastian Arcus via Exim-users wrote:
> What is the simplest and best way to disable any AUTH on port 25? Up
> until now I have the following working:
>
> 1. Only advertise TLS on port 587:
>
>     auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}


I don't see a port number there. It does not do what you want.

>
> 2. Disable authenticated connections without TLS:
>
> acl_check_auth
>
>   deny message      = TLS required on authenticated connections
>        ! encrypted   = *


OK in its own right, but pointless given the above

>
>
> However, I just realised that this disables opportunistic TLS in the
> SMTP transport (server to server).


No, it does not.

> Could I use something like server_advertise_condition instead to only
> advertise AUTH on port 587 (and if yes, will that disallow AUTH on 25
> completely, not just not advertise it?


You could, and yes (because by default unadvertised-AUTH is not
permitted). It remains wise to advertise plaintext AUTH methods
only on encrypted connections.
--
Cheers,
Jeremy