Author: Jeremy Harris Date: To: exim-users Subject: Re: [exim] Best/correct way to disable AUTH on port 25?
On 26/12/17 21:28, Sebastian Arcus via Exim-users wrote: > What is the simplest and best way to disable any AUTH on port 25? Up
> until now I have the following working:
>
> 1. Only advertise TLS on port 587:
>
> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
I don't see a port number there. It does not do what you want.
>
> 2. Disable authenticated connections without TLS:
>
> acl_check_auth
>
> deny message = TLS required on authenticated connections
> ! encrypted = *
OK in its own right, but pointless given the above
>
>
> However, I just realised that this disables opportunistic TLS in the
> SMTP transport (server to server).
No, it does not.
> Could I use something like server_advertise_condition instead to only
> advertise AUTH on port 587 (and if yes, will that disallow AUTH on 25
> completely, not just not advertise it?
You could, and yes (because by default unadvertised-AUTH is not
permitted). It remains wise to advertise plaintext AUTH methods
only on encrypted connections.
--
Cheers,
Jeremy