On Sun 26 Mar 2023 at 12:47:45 (-0700), pe...@easthope.ca wrote: > > (4) "TLS on connect is not natively supported." OK but the test > confirmed that it can work. Documentation could tell how to > configure. Otherwise link to instructions at least. > > (5) > https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html > states "There is also a -tls-on-connect command line option. This > overrides tls_on_connect_ports; it forces the TLS-only behaviour for > all ports." Connection from the local MUA to exim isn't encrypted. > The command line option will block that? > > What ideas are there to configure TLS-on-connect for localhost to > smarthost and leave MUA to localhost unencrypted on port 25?
Just above that paragraph is the example for tls_on_connect_ports, ie tls_on_connect_ports = 465 I assume this goes into the configuration rather than the command line. I've never had to configure at this level without the benefit of a MACRO_PARAMETER to set. For example, I turn off certificate stuff on my LAN with: $ cat /etc/exim4/exim4.conf.localmacros # /etc/exim4/exim4.conf.localmacros MAIN_TLS_ADVERTISE_HOSTS = # $ Lacking a macro, you could try editing either /var/lib/exim4/config.autogenerated (rather like editing grub.cfg, in that reconfiguring Grub will overwrite it), or /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost which is more permanent (keep a backup of original). You might try adding the setting after the first active line in 30_exim4-config_remote_smtp_smarthost, or test it by adding it after line 857 in config.autogenerated (the same text). That assumes that the exim in bullseye supports what's documented for the latest version. Cheers, David.