Re: [exim] Best/correct way to disable AUTH on port 25?

Top Page
Delete this message
Reply to this message
Author: Sebastian Arcus
Date:  
To: exim-users
Subject: Re: [exim] Best/correct way to disable AUTH on port 25?

On 26/12/17 22:01, Heiko Schlittermann via Exim-users wrote:
> Sebastian Arcus via Exim-users <exim-users@???> (Di 26 Dez 2017 22:28:03 CET):
>> What is the simplest and best way to disable any AUTH on port 25? Up until
>> now I have the following working:
>>
>> 1. Only advertise TLS on port 587:
>>
>>      auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

>
> I'm confused. This line doesn't do anything with TLS advertisement.


Sorry - you are right. That line is supposed to advertise AUTH only
if/after TLS has started - as far as I know.

> You can modify it into
>
>      auth_advertise_hosts = ${if and{ \
>                                      =={$received_port}{587} \
>                                      def:tls_in_cipher \
>                                  } \
>                              {*}}

>
> (untested)
>
>> 2. Disable authenticated connections without TLS:
>>
>> acl_check_auth
>>
>>    deny message      = TLS required on authenticated connections
>>         ! encrypted   = *

>>
>> However, I just realised that this disables opportunistic TLS in the SMTP
>> transport (server to server).
>
> Currently I do not see, why this should disable TLS connections.


Sorry again - it must have been a long day. What I should have mentioned
is that I have the following option set as well:

tls_advertise_hosts = ${if eq {$interface_port}{587} {*}{}}