Daniel Tiefnig wrote:
> timebandit wrote:
>> [ SMTP protocol synchronization error ]
>>
>> I have tried to google and so on and find alot of these errors but no
>> solution. Using no encryption or STARTTLS works but want to use SSL3
>> as I always have.
>
> Hi,
>
> is the port you are connecting to listed in "tls_on_connect_ports"? It
> should be set to something like
> tls_on_connect_ports = 465
> to support SSL encryption on the standard SSMTP port.
>
> br,
> daniel
>
Folks,
Like it or not,
- it is coming up several *years* now that IANA assigned port 465 to a
Cisco-proprietary protocol that has naught to do with smtp.
- further, it never was 'officially' assigned as the smtp submission
port. Though the RFC meandered through donkey's years during which it
was the de-facto if not de-jure usage, the final outcome was to settle
on port 587, and TLS (with a HELO) - not 'classical' SSL (where the
'tunnel' is put in-place on arrival via a different sort of handshake).
- *eventually* MUA will cease (directly) supporting port 465.
- Port 587 *can* be set to tls_on_connect, thereafter also requiring
non-standard MUA config. But configuring MUA to use SSL-only and 587
instead of 465 is not likely to be universally supported foreve.
Some MUA are already are unable to do that.
Bottom line:
- require your user-base AUTH *only* on 587
- use port 24 for weird-and-wonderful relaying, inbound/outbound pools,
etc. That's what it is for. 'any private mail service' IIRC.
- but *also* require encrypted protocol in your acl's so a fall-back to
unencrypted - which the protocol supports - is NOT acceptable to
authenticate with Exim.
And, of course, exempt any arrival 'AUTH'ed in that proper manner from
tests for rDNS fail, dynamic-IP or other RBL lookup, and strict HELO to
FQDN matching, 'coz most residential OR biz broadband will fail all of
the above.
Either:
condition = ${if eq{$interface_port}{25}}
to apply strict tests to remote MTA (or zombot) arrivals.
or a !condition to exempt your own users.
Keep your user-base OFF port 25, AND ALSO insist on encryption of the link:
!condition = ${if eq{$interface_port}{587}}
accept encrypted = *
later on, also:
authenticated = *
As one cannot 'AUTH' in acl_smtp_connect. Too soon.
Not to forget, in the authenticator(s);
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
Or something more cleanly written to that effect...
I code in BFBI, but it JFW in Exim.
;-)
Bill
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
