> On 16 Jul 2015, at 16:35, 3YSTech Services <3ystechservi...@gmail.com> wrote: > > All clients are Linux clients and EXIM server is a relay with serveral > source IPs . No usernames/password exchanges in AUTH time.
Oh, OK. Try looking under T:TLS:require… at http://www.exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html > On Thu, Jul 16, 2015 at 11:31 AM, Viktor Dukhovni <exim-us...@dukhovni.org> > wrote: > >> On Thu, Jul 16, 2015 at 11:17:54AM -0400, 3YSTech Services wrote: >> >>> added exactly that to conf file and still passes unencrypted smtp >>> connections. >> >> The logical thing to do is to restrict SASL authentication to TLS, >> and also require SASL authentication. >> >> I assume it is possible in Exim to only offer "AUTH" after STARTTLS, >> in which case do that first. Then only allow relaying for SASL >> authenticated clients (without accidentally enforcing SASL auth >> for inbound mail addressed to your own domains). >> >> Basically mimic the equivalent of the Postfix: >> >> # Allow SASL auth only for TLS encrypted channels >> # >> smtpd_tls_auth_only = yes >> >> # Allow relaying only for SASL authenticated clients >> # >> smtpd_relay_restrictions = >> permit_sasl_authenticated, >> reject_unauth_destination >> >> [ The above just illustrates the problem decomposion in a form >> most familiar to me. I am not here to advocate for Postfix. ] >> >> -- >> Viktor. >> >> -- >> ## List details at https://lists.exim.org/mailman/listinfo/exim-users >> ## Exim details at http://www.exim.org/ >> ## Please use the Wiki with this list - http://wiki.exim.org/ >> > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
