Exim force TLS for specific destination domain

eximtls

I need to configure Exim to require TLS when sending emails to a specific domain.

I know that I can use

 hosts_require_tls = host

in the smtp transport. But it sounds like that requires that I set the host of the receiving mail server. I would instead like to specify the domain.

Also, if I use this, will all other hosts/domains work without TLS? Just want to confirm before I implement.

Thanks.

Best Answer

you can use the recipient ACL and use the encrypted condition, see here.

deny
    domains = secure.mail.org
    ! encrypted = *

EDIT

To force sending encrypted mail to some domains, you can create a "required tls" transport (specifying host_require_tls), and then create a router for the domains you want, e.g (untested):

begin router

tls_router:
    driver = accept
    domains = secure.mail.com
    transport = tls_smtp

begin transport

tls_smtp:
    driver = smtp
    hosts_require_tls = *

Related Solutions

Linux – How To Tell SendMail To Explicitly NOT Try TLS For A Domain

In the /etc/mail/access file, add the line:

Try_TLS:broken.server   NO

Exim and TLS AUTH not working for some clients

Use the -showcerts option to the openssl s_client command. It prints out the entire chain of server-provided certificates rather than just the server certificate (it shows the intermediates too). In your case the error indicates simply that you've failed to install the requisite intermediate certificate along with the server certificate. As the previous poster mentioned, you must concatenate the server and intermediate certificates - actually as a best practice, tack on the root certificate too, so that the server will present the entire chain rather than just the leaf certificate standing alone. The server certificate cannot stand alone because the intermediate is not particularly trusted, rather only the root certificates are trusted. You must trace fully back to one of these. Once you have everything chained properly, the openssl s_client test will either indicate "self signed certificate in chain" OR "verified ok", but not "unable to find local issuer certificate" - that is at least if you tie in the root certificate too, which is as I've recommended.

Best Answer

Related Solutions

Linux – How To Tell SendMail To Explicitly NOT Try TLS For A Domain

Exim and TLS AUTH not working for some clients

Related Topic