On 26/12/17 22:01, Heiko Schlittermann via Exim-users wrote:
> Sebastian Arcus via Exim-users <exim-users@???> (Di 26 Dez 2017 22:28:03 CET):
>> What is the simplest and best way to disable any AUTH on port 25? Up until
>> now I have the following working:
>>
>> 1. Only advertise TLS on port 587:
>>
>> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
>
> I'm confused. This line doesn't do anything with TLS advertisement.
Sorry - you are right. That line is supposed to advertise AUTH only
if/after TLS has started - as far as I know.
> You can modify it into
>
> auth_advertise_hosts = ${if and{ \
> =={$received_port}{587} \
> def:tls_in_cipher \
> } \
> {*}}
>
> (untested)
>
>> 2. Disable authenticated connections without TLS:
>>
>> acl_check_auth
>>
>> deny message = TLS required on authenticated connections
>> ! encrypted = *
>>
>> However, I just realised that this disables opportunistic TLS in the SMTP
>> transport (server to server).
>
> Currently I do not see, why this should disable TLS connections.
Sorry again - it must have been a long day. What I should have mentioned
is that I have the following option set as well:
tls_advertise_hosts = ${if eq {$interface_port}{587} {*}{}}
