4

As my webmailer does not support STARTTLS and I want to enable relaying for everyone at localhost, I would like to have Exim advertise AUTH PLAIN and LOGIN only without TLS if the connection was established from localhost.

So in other words, I would like to have exim to advertise the following possibilities depending on the client connected:

  • localhost (before TLS):
    • AUTH PLAIN
    • AUTH LOGIN
    • STARTTLS
  • any other host (before TLS):
    • STARTTLS
  • any other host (after TLS):
    • AUTH PLAIN
    • AUTH LOGIN

So that in the end I can ensure that login information are only transmitted through loopback or through an encrypted connection.

My guess that the correct line to do this would be where we require TLS from everyone in the authenticators section:

plain:
  public_name = PLAIN
  server_advertise_condition = ${if !eq{$tls_cipher}{}{yes}{no} }
  # ...

But I can't find a way to check which client is currently connected. My best guess $host (which seems to be used in some of the config examples) is always undefined.

Any ideas how I could get this to work?

Hurzelchen
  • 140
  • 1
  • 7

1 Answers1

3

You have to set auth_advertise_hosts in such way:

. . . . . .
daemon_smtp_ports    = 25 : 465 : 587
tls_advertise_hosts  = *
tls_on_connect_ports =      465 : 587
auth_advertise_hosts = localhost : ${if eq{$tls_cipher}{}{nope}{*}}
. . . . . .

If sender uses TLS auth_advertise_hosts will be expanded to the localhost : *. Otherwise auth_advertise_hosts will be expanded to the localhost : nope. Localhost will be invited to authenticate anyway, while other hosts only when they are used TLS (because pattern nope will not match any real host).

Kondybas
  • 6,964
  • 2
  • 20
  • 24
  • I edited my question hoping to make my goal clearer. I only want to allow AUTH to be advertised to localhost or someone with an encrypted connection, way before any ACL would be evaluated. – Hurzelchen Aug 05 '14 at 21:58
  • Why do you want to authenticate senders already authenticated to the localhost? Keep in mind that there is a lot of messages sent from localhost that cannot be authenticated at all. F.e. messages sent by cron or else. – Kondybas Aug 05 '14 at 22:02
  • I currently don't have localhost in my relay_from_hosts, so the webmailer authenticates when connecting via SMTP to localhost. But the webmailer doesn't support STARTTLS, so it should be the only one allowed to authenticate without STARTTLS. – Hurzelchen Aug 05 '14 at 22:09
  • I've change my answer. – Kondybas Aug 05 '14 at 22:40