All,
Some government departments that we work with asked us to increase email
security via "forced TLS" for which I developed a solution for:
a) our public email relay servers (with upstream/downstream and
local/remote hosts - 4 legs) - this is moderately complex but all worked
first time
b) our private email server/endpoint (with Exim+Dovecot and just in
and out) - should have been simpler but was weird
and on this journey I observed some strange behaviour.
Running Exim 4.93.04 compiled on AMD64 (Dell R320) with Devuan 3.0 Beowulf.
On our internal server I added the following at the top of the
acl_check_mail:
acl_check_mail:
#
# refuse all connections that are not TLS
#
deny message = Connection not secure. You must use STARTTLS
to send to this server!
logwrite = MAIL: Denied host
$sender_host_address:$sender_host_port not using TLS secure connection!
! encrypted = *
and it produced the following result:
2020-02-13 09:36:51 CONNECT: New connection from 195.171.43.2 port:
63615 -> 195.171.43.20 port: 587
2020-02-13 09:36:51 CONNECT: Accept connection from host: 195.171.43.2
in whitelist +relay_from_hosts
2020-02-13 09:36:51 HELO: Could not verify HELO/EHLO: [192.168.1.107]
from remote host: 195.171.43.2 (gate.thorcom.com)
2020-02-13 09:36:51 HELO: Accepted HELO/EHLO [192.168.1.107] from remote
host: 195.171.43.2 (gate.thorcom.com)
2020-02-13 09:36:51 CRYPTO: Client 195.171.43.2 port: 63615 issued STARTTLS
2020-02-13 09:36:51 HELO: Client 195.171.43.2:63615 using SSL/TLS
cipher: TLS1.3:TLS_AES_256_GCM_SHA384:256
2020-02-13 09:36:51 HELO: Could not verify HELO/EHLO: [192.168.1.107]
from remote host: 195.171.43.2 (gate.thorcom.com)
2020-02-13 09:36:51 HELO: Accepted HELO/EHLO [192.168.1.107] from remote
host: 195.171.43.2 (gate.thorcom.com)
2020-02-13 09:36:51 MAIL: Denied host 195.171.43.2:63615 not using TLS
secure connection!
2020-02-13 09:36:51 MAIL: Accept from gate.thorcom.com ([192.168.1.107])
[195.171.43.2] as in +relay_from_hosts
2020-02-13 09:36:51 RCPT: Accept non-local domain for outbound delivery
Which confused me for two reasons:
1. It says 'deny' when the connection is, infact, secure - you can
see the TLS
2. It says 'deny' and then carries on to the next rule and accepts
the MAIL command
Changing the acl to read:
acl_check_mail:
#
# report/check/deny TLS as approriate
#
warn condition = ${if def:tls_in_cipher {1}{0}}
logwrite = MAIL: Client
$sender_host_address:$sender_host_port using SSL/TLS cipher: $tls_in_cipher
deny condition = ${if def:tls_in_cipher {0}{1}}
message = Connection not secure. You must use STARTTLS
to send mail to this server.
logwrite = MAIL: Client
$sender_host_address:$sender_host_port NOT using TLS connection
gives consistent results as expected and either logs the cipher in use
or denies the connection.
What did I miss?
Mike
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
