On Sun, Feb 07, 2021 at 12:25:17PM +0100, Heiko Schlittermann via Exim-users wrote:
> Gedalya via Exim-users <exim-users@???> (So 07 Feb 2021 09:20:43 CET):
> >
> > acl_check_rcpt_submit:
>
> As you pointed out in your other message: yes, it should be in the
> acl_smtp_mail ACL section, if you want to check for successful
> authentication prior the MAIL command.
>
> >
> > require
> > message = Secure authentication is required
> > condition = ${if eq{$tls_cipher}{}{no}{yes}}
> > authenticated = *
>
> The `condition = … tls_cipher` can be omitted, if your authenticator
> itself requires a secure connection, like in most examples.
>
> I'd do it that way:
>
> -------------------------
> # allow overriding the macro on the commandline like in
> # swaks … --pipe 'exim -DIS_TLS=true -bh …'
> .ifndef IS_TLS
> IS_TLS = ${if !eq{$tls_in_cipher}{}}
> .endif
>
> begin acl
>
> acl_check_mail:
>
> require message = please authenticate first
> authenticated = *
>
> require message = please use a secure transport
> condition = IS_TLS
>
> begin auth
>
> plain:
> driver = plain
> server_advertise_condition = IS_TLS
> -------------------------
>
Thank you all.
I think maybe it's a good idea for
the Exim source repository's configure.default template
file configures this policy out of the box when ports 465, 587 are enabled.
--
kevin
