As my webmailer does not support STARTTLS and I want to enable relaying for everyone at localhost, I would like to have Exim advertise AUTH PLAIN and LOGIN only without TLS if the connection was established from localhost.
So in other words, I would like to have exim to advertise the following possibilities depending on the client connected:
- localhost (before TLS):
- AUTH PLAIN
- AUTH LOGIN
- STARTTLS
- any other host (before TLS):
- STARTTLS
- any other host (after TLS):
- AUTH PLAIN
- AUTH LOGIN
So that in the end I can ensure that login information are only transmitted through loopback or through an encrypted connection.
My guess that the correct line to do this would be where we require TLS from everyone in the authenticators section:
plain:
public_name = PLAIN
server_advertise_condition = ${if !eq{$tls_cipher}{}{yes}{no} }
# ...
But I can't find a way to check which client is currently connected. My best guess $host (which seems to be used in some of the config examples) is always undefined.
Any ideas how I could get this to work?
Best Answer
You have to set
auth_advertise_hostsin such way:If sender uses TLS
auth_advertise_hostswill be expanded to thelocalhost : *. Otherwiseauth_advertise_hostswill be expanded to thelocalhost : nope. Localhost will be invited to authenticate anyway, while other hosts only when they are used TLS (because patternnopewill not match any real host).