Exim config: possible to use AUTH *only* on port 587?
List, good evening,
Been setting up Exim and Dovecot to work together. Inbound mail is
working, stored in maildirs and served by Dovecot using IMAP over SSL.
Exim is also working as an authenticated (only) relay for when our
users want to send or reply to email while offsite, and set up so that
authentication is *only* capable when TLS is used (so that passwords
are not transmitted in clear), and authentication is validated by
Dovecot, not Exim. So far, so good.
But TLS, Authentication and Relay-if-authenticated is available on
port 25 (only port 25, at the moment, I haven't yet configured Exim to
listen on 587).
I don't want to have the system capable of accepting AUTH on port 25.
I do need to configure Exim to use 25 for inter-MTA mail, and I'd
like to *disable* AUTH on port 25 whilst still allowing STARTTLS for
any peer MTAs that wish to use it. I'd like to use 587 as the mail
submission port (ie, from MUAs), allow (insist, I'd prefer) TLS, and
only allow AUTH on 587 after an enciphered link is set up (this last
aspect is standard in Exim 4.80, the release version in Wheezy).
Summarising:
Port 25:
SMTP, STARTTLS, no AUTH, no relay
Port 587:
SMTP, STARTTLS, AUTH if encrypted, relay if authenticated
I cannot see how to do this. My reading of the Exim config options is
that we can have:
SMTP, STARTTLS, AUTH only over encrypted, relay only if authenticated, but
that config has to be the same on all enabled ports. The port enabler
is (for example):
daemon_smtp_ports = 25 : 587
which doesn't seem to allow a different set of 'capabilities' on
different ports.
Does anyone using Exim know of a way to achieve the AUTH and relay
capability I want but only on 587?
[I realise there is a specialist Exim list in Debian and I'm happy to
ask there if folk here think that would be more appropriate.]
Grateful for any replies, regards, Ron
Reply to: