Mailing List Archive

How can I require TLS for mail submission?
It works fine now for voluntary TLS mail submission. What do I have to do
to make it mandatory? With all of the mobile devices these days, this
should be the most asked question on the list. Users are giving away their
user name and password all day long at hot spots in coffee shops and
airports if they are not forced to use TLS like all of the large E-mail
services require these days.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How can I require TLS for mail submission? [ In reply to ]
On Sunday, April 29, 2012 at 01:08:50 UTC, Jack.Toering@LeadingEdgeITA.com confabulated:

> It works fine now for voluntary TLS mail submission. What do I have to do
> to make it mandatory? With all of the mobile devices these days, this
> should be the most asked question on the list. Users are giving away their
> user name and password all day long at hot spots in coffee shops and
> airports if they are not forced to use TLS like all of the large E-mail
> services require these days.

Here's what I use. It accepts connections from hosts the server relays
for, connections on port 25, and encrypted connections.
Connections to any other enabled port must have TLS enabled.
Otherwise, they get dropped.

...
acl_smtp_auth = acl_check_auth
...
acl_check_auth:
...
accept hosts = +relay_from_hosts
accept condition = ${if eq{$received_port}{25}}
accept encrypted = *
drop message = Your connection must be encrypted.
log_message = Connection from \
[$sender_host_address]($authenticated_id) was \
not encrypted.
...

--
If at first you don't succeed...
...so much for skydiving.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How can I require TLS for mail submission? [ In reply to ]
Hi,

On Sat, Apr 28, 2012 at 21:08:50 -0400, Jack Toering wrote:
> It works fine now for voluntary TLS mail submission. What do I have to do
> to make it mandatory? With all of the mobile devices these days, this
> should be the most asked question on the list. Users are giving away their
> user name and password all day long at hot spots in coffee shops and
> airports if they are not forced to use TLS like all of the large E-mail
> services require these days.

I use this:

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}


Best,

Moritz

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/