Odhiambo Washington via Exim-users wrote on 14.05.2025 0:40:
> I'd like to enforce encrypted communication between MuAs and my Exim
> server, but I am not succeeding.
> Basically, I need MuAs connecting via ports 465 and 587 to strictly use
> encryption.
>
> I have the SSL certs, so I have the following in my config file:
>
> tls_certificate = /etc/ssl/certs/exim.crt
> tls_privatekey = /etc/ssl/private/exim.key
>
> daemon_smtp_ports = 25 : 465 : 587
> tls_on_connect_ports = 465
>
> IS_MTA_PORT = or{ \
> {eq{$interface_port}{25}} \
> {eq{$interface_port}{-1}} \
> }
> # Auth on ports not used for MTA (=> MUAs)
> auth_advertise_hosts = ${if IS_MTA_PORT {}{*}}
>
> Reading a little more, I see that I should use:
> auth_advertise_hosts = ${if eq{$tls_cipher}{}{*}{*}}
That doesn't make sense. Maybe you meant
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
> ..to only advertise authentication mechanisms (AUTH PLAIN, etc.) if a TLS
> cipher is in use — i.e., if the connection is encrypted.
>
> So my "auth_advertise_hosts = ${if IS_MTA_PORT {}{*}}" is advertising
> auth, but not checking if tls_cipher is being used, right?
Try this
auth_advertise_hosts = ${if IS_MTA_PORT {}{\
${if eq{$tls_cipher}{}{}{*}}\
}}
or this
auth_advertise_hosts = ${if or{\
{IS_MTA_PORT}\
{eq{$tls_cipher}{}}\
}{}{*}}
or this
auth_advertise_hosts = ${if or{\
{eq{$interface_port}{25}}\
{eq{$interface_port}{-1}}\
{eq{$tls_cipher}{}}\
}{}{*}}
> My brain is a little clouded now.
> What is it that I am missing towards achieving this need?
>
> Thanks in advance.
>
--
Best wishes Viktor Ustiuhov
mailto:vic...@corvax.kiev.ua
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
