Re: [exim] Closing off Port to non-SSL traffic

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: exim-users
Subject: Re: [exim] Closing off Port to non-SSL traffic
On Sat, 25 Jun 2022, Mark Elkins via Exim-users wrote:

> Not sure if I'm missing the boat or what but - for one of my users to send
> email - they must use mail Submission port 587 - and nothing else. That's on
> a server that only listens on port 587. This works fine until a user "shares"
> their password. I also have a script that looks how many emails are in the
> Send queue and get excited if it grows too large. They use Port 587 with
> STARTTLS encryption.
>
> My users can not send mail via port 25 (or 465) with User authentication by
> design - on the other mail server that they fetch (POP3@995/IMAP@993) mail
> from.


I am curious. Why do you not allow your users to user port 465 ?
RFC 8314 https://datatracker.ietf.org/doc/html/rfc8314#section-7.3
repurposed this as a mail *submission* port with Implicit TLS.

If your users could submit on 465 they would not be susceptible to
more than 40 vulnerabilities in STARTTLS implementations
https://nostarttls.secvuln.info/

[ I should document CVE-2021-38371:
before exim 4.95 exim probably was exposed to a man-in-the
middle attack on STARTTLS when *sending* email, though it
it is not clear how it could have been exploited.
However a change which was included in 4.95 happened
to fix the problem.
]

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???