Phil Pennock <[email protected]> (Sa 07 Sep 2019 02:52:56 CEST): > The connect ACL won't protect you against STARTTLS usage, which is far > more common for email than TLS-on-connect. > > I myself use the HELO ACL.
This doesn't seem to be sufficient, you can start "submitting" a message to
a remote Exim with the following sequence
connect
<-- 250
EHLO …
<-- 250
STARTTLS
<-- 220
MAIL
<-- 250
The client is free to skip the 2nd EHLO/HELO. Tested with OpenSSL
s_client -servername 'foobar\' -starttls smtp -connect …
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
