1

How to restrict access to EXIM to clients with STARTTLS? I want to be able to drop non-TLS connections.

Current setup:

tls_on_connect_ports = 465
tls_advertise_hosts = *
tls_certificate = /some/file/name
tls_privatekey = /some/file/name
MadHatter
  • 78,442
  • 20
  • 178
  • 229
Tru64Gurus
  • 11
  • 2
  • The standard port 465 doesn't use `STARTTLS`; it is defined as being SMTP-over-TLS, in which TLS negotiation is completed before any SMTP protocol data is sent or received. – womble Aug 08 '15 at 06:20

1 Answers1

2

You have to add the next rule to the RCPT ACL:

acl_rcpt:
deny ! hosts         =  : +relay_from_hosts
     ! authenticated = *
. . . .

That rule deny submission from any non-trusted host without authentication.

Kondybas
  • 6,864
  • 2
  • 19
  • 24
  • This doesn't really address the situation where the client is doing AUTH without TLS, which is the question if I read it correctly. You need to only advertise auth if tls is active, then the above works. But perhaps auth is not relevant for the question. – wurtel Jul 14 '15 at 07:53
  • I tried following with no luck. acl_check_rcpt: deny message = This domain ($sender_address_domain) requires a TLS connection which is not present sender_domains = * ! encrypted = * In routers: tls_router: driver = dnslookup domains = * transport = tls_smtp In transports: tls_smtp: driver = smtp hosts_require_tls = * – Tru64Gurus Jul 14 '15 at 22:26
  • Because of number of characters limit, I will split into two comments I am trying to secure my EXIM servers , was wondering how I can accomplish the following: - Restrict email relay to TLS and reject none TLS connections. - Use port 587 for client TLS connections back to VIP then to servers. - Restrict mail inflow to port 25 and 465 if possible. Your response is appreciated Thanks – Tru64Gurus Jul 15 '15 at 19:16
  • 1
    Current Setup : - I do relay by IP and have VIP SSL installed locally on each EXIM server. - I connect from Linux clients using mailx -S smtp-use-starttls. - I have tried all settings below and still EXIM relay email without TLS daemon_smtp_ports = 25 : 465 : 587 tls_advertise_hosts = * tls_on_connect_ports = 465 : 587 auth_advertise_hosts = localhost : ${if eq{$tls_cipher}{}{no}{*}} server_advertise_condition = ${if eq{$tls_in_cipher}{}{no}{yes}} hosts_require_tls = * acl_check_rcpt: deny ! hosts = : +relay_from_hosts ! authenticated = * – Tru64Gurus Jul 15 '15 at 19:16