Re: [exim] Best/correct way to disable AUTH on port 25?

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\MHeiko Schlittermann at <-
MMSebastian Arcus at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Best/correct way to disable AUTH on port 25?
On 26/12/17 21:28, Sebastian Arcus via Exim-users wrote:
> What is the simplest and best way to disable any AUTH on port 25? Up
> until now I have the following working:
>
> 1. Only advertise TLS on port 587:
>
>     auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

I don't see a port number there. It does not do what you want.

>
> 2. Disable authenticated connections without TLS:
>
> acl_check_auth
>
>   deny message      = TLS required on authenticated connections
>        ! encrypted   = *

OK in its own right, but pointless given the above

>
>
> However, I just realised that this disables opportunistic TLS in the
> SMTP transport (server to server).

No, it does not.

> Could I use something like server_advertise_condition instead to only
> advertise AUTH on port 587 (and if yes, will that disallow AUTH on 25
> completely, not just not advertise it?

You could, and yes (because by default unadvertised-AUTH is not
permitted). It remains wise to advertise plaintext AUTH methods
only on encrypted connections.
--
Cheers,
Jeremy


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Best/correct way to disable AUTH on port 25?Re: [exim] Best/correct way to disable AUTH on port 25?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)