I am learning to set up a mailserver. I got it working with postfix, now trying the same configuration with Exim. How can I force a client to take up only STARTTLS connection for SMTP outgoing connection? I followed the instructions in this question.
Require STARTTLS for sending email in exim
My config looks now as following
MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTIFICATE = /etc/ssl/certs/ssl-cert-snakeoil.pem
MAIN_TLS_PRIVATEKEY = /etc/ssl/private/ssl-cert-snakeoil.key
.ifdef MAIN_TLS_ENABLE
# Defines what hosts to 'advertise' STARTTLS functionality to. The
# default, *, will advertise to all hosts that connect with EHLO.
.ifndef MAIN_TLS_ADVERTISE_HOSTS
MAIN_TLS_ADVERTISE_HOSTS = *
.endif
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
auth_advertise_hosts = ${if eq{$tls_in_cipher}{}{}{*}}
Restarted Exim, no errors.
Then I ran some tests in http://checktls.com/
The TestSender passed, I could send email under secure communication. But TestSenderAssureTLS failed, the website could negotiate an unencrypted communication.
What am I missing?
When I create an account with Thunderbird, it autodetects an unsecure SMTP channel, not one with STARTTLS. Setting up the account and sending email succeeds. However, when I make an SMTP conversation from the shell of a computer in the network, no authentication is advertised. It looks as follows:
EHLO <subdomain>.<domain>
250-betelgeuse Hello <subdomain>.<domain> [10.0.14.34]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
AUTH LOGIN
503 AUTH command used when not advertised
Could somebody point me to what I am missing, how I can make better tests?
On a related topic, how I can advertise the configuration I wish to the clients doing autdetect?
Thank you.
Best Answer
A
STARTTLS
connection needs to start unsecured. TheSTARTTLS
option is not advertised until after the firstEHLO
command. If you want to enforceSTARTTLS
you will need to add or modify anACL
. I published the Email Policy I apply.If this server is your MX, you should not enforce
STARTTLS
on all connections. My configuration requiresSTARTTLS
for connections requiringAUTH
. This does not include connections from my LAN, but does apply to users sending email from my server while roaming. I also require authentication occurs on the submission port. This is the basics of theACL
I use.# Default deny deny message = AUTH not accepted
You could also enforce
TLS
in a mailACL
. This ACL allows external senders to send mail in.You should consider using
defer
instead ofdeny
while testing the ACLs. The ACLs are enabled by addingacl
statements to the main section of the configuration, and the above ACLs to the ACL section.acl_smtp_auth = acl_local_auth acl_smtp_mail = acl_local_mail_from