Jasper Wallace wrote:
On Thu, 3 Sep 2015, hw wrote:
Am 03.09.2015 um 15:37 schrieb Jeremy Harris:
On 03/09/15 14:17, hw wrote:
server_advertise_condition = ${if def:tls_cipher }
Ah, not quite. This option explicitly needs a string result
to activate:
server_advertise_condition = ${if def:tls_cipher {yes}{no}}
Thanks, I changed that. The LOGIN authenticator is now configured, too.
After making /etc/shadow readable by the mail group, it kinda works. Is
it really necessary to change permission on /etc/shadow?
Where in the processing flow does it fail without that change?
It fails when I set the MUA to use STARTTLS and "normal password"
authentication.
"Kinda works" means that I can now send messages via port 587 without
any authentication at all, with unencrypted authentication and when
using STARTTLS. Authentication and encryption must be required, though.
So now you need to block 587 to non-auth'd use. Do that in your
mail-from ACL.
Not acl_smtp_mailauth? I tried in acl_check_helo and only was rejected all
the time.
Near the top of my acl_check_rcpt I have:
accept authenticated = *
control = submission
Thanks! I figured it out:
* in acl_check_rcpt:
+ accept mail from authenticated for relaying
+ reject all hosts using connections on 587 without TLS
+ as before, accept mail from all the hosts the server is relaying for
* in acl_check_mail:
+ deny everything on 587 unless TLS is used
The latter goes like this:
acl_check_mail:
deny condition = ${if and{{eq{$received_port}{587}} {!
def:tls_cipher} } }
message = TLS is required
accept
At least I think this is sane and safe enough. Is it?
Hmmm ... It's a quite weird logic when you think about it, and anything
but straightforward. The requirement for authentication is merely
implicit. Shouldn't there be a better way to do this? Is there? I'm
not exactly fond of convoluted stuff like this.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
