Phil Pennock <pdp@???> (Sa 07 Sep 2019 02:52:56 CEST):
> The connect ACL won't protect you against STARTTLS usage, which is far
> more common for email than TLS-on-connect.
>
> I myself use the HELO ACL.
This doesn't seem to be sufficient, you can start "submitting" a message to
a remote Exim with the following sequence
connect
<-- 250
EHLO …
<-- 250
STARTTLS
<-- 220
MAIL
<-- 250
The client is free to skip the 2nd EHLO/HELO. Tested with OpenSSL
s_client -servername 'foobar\' -starttls smtp -connect …
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
