All clients are Linux clients and EXIM server is a relay with serveral source IPs . No usernames/password exchanges in AUTH time.
On Thu, Jul 16, 2015 at 11:31 AM, Viktor Dukhovni <[email protected]> wrote: > On Thu, Jul 16, 2015 at 11:17:54AM -0400, 3YSTech Services wrote: > > > added exactly that to conf file and still passes unencrypted smtp > > connections. > > The logical thing to do is to restrict SASL authentication to TLS, > and also require SASL authentication. > > I assume it is possible in Exim to only offer "AUTH" after STARTTLS, > in which case do that first. Then only allow relaying for SASL > authenticated clients (without accidentally enforcing SASL auth > for inbound mail addressed to your own domains). > > Basically mimic the equivalent of the Postfix: > > # Allow SASL auth only for TLS encrypted channels > # > smtpd_tls_auth_only = yes > > # Allow relaying only for SASL authenticated clients > # > smtpd_relay_restrictions = > permit_sasl_authenticated, > reject_unauth_destination > > [ The above just illustrates the problem decomposion in a form > most familiar to me. I am not here to advocate for Postfix. ] > > -- > Viktor. > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
