On Sat, 25 Jun 2022, Mark Elkins via Exim-users wrote:
Not sure if I'm missing the boat or what but - for one of my users to send
email - they must use mail Submission port 587 - and nothing else. That's on
a server that only listens on port 587. This works fine until a user "shares"
their password. I also have a script that looks how many emails are in the
Send queue and get excited if it grows too large. They use Port 587 with
STARTTLS encryption.
My users can not send mail via port 25 (or 465) with User authentication by
design - on the other mail server that they fetch (POP3@995/IMAP@993) mail
from.
I am curious. Why do you not allow your users to user port 465 ?
RFC 8314 https://datatracker.ietf.org/doc/html/rfc8314#section-7.3
repurposed this as a mail *submission* port with Implicit TLS.
If your users could submit on 465 they would not be susceptible to
more than 40 vulnerabilities in STARTTLS implementations
https://nostarttls.secvuln.info/
[ I should document CVE-2021-38371:
before exim 4.95 exim probably was exposed to a man-in-the
middle attack on STARTTLS when *sending* email, though it
it is not clear how it could have been exploited.
However a change which was included in 4.95 happened
to fix the problem.
]
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
