5

I currently only allow connections on port 25 from a mail filtering service's IPs.

I have Exim running on an alternate port for SMTP submission. This port needs to allow non-encrypted connections for now so I can't rely on forcing TLS on the port.

I would like to configure Exim to drop non-authenticated SMTP connections on the alternate port to prevent spammers from connecting and sending spam directly to users.

How would I configure this ACL?

Dave Forgac
  • 3,486
  • 7
  • 36
  • 48

1 Answers1

6

We use the following rules in acl_check_rcpt, but I suspect they would work better in acl_check_helo

deny
   condition      = ${if and{{eq{$interface_port}{587}} {eq{$tls_cipher}{}} } }
   message        = All port 587 connections must use TLS

deny condition    = ${if eq{$interface_port}{587}}
   !authenticated = *
   message        = All port 587 connections must be Authenticated

Obviously you only want the second of the two rules, but the first shows how to reject non-TLS connections. You may want to think about disallowing plaintext authentication methods if you aren't going to enforce TLS.

David Pashley
  • 23,151
  • 2
  • 41
  • 71
  • `acl_check_helo` wouldn't work since a client should sent it before `AUTH`. `acl_check_mail` works fine though. If your acl has `server_advertise_condition = ${if def:tls_cipher}` set, you do not need the check in the ACL either. – Lekensteyn Feb 28 '14 at 21:07