How to force STARTTLS in Exim

eximstarttls

I am learning to set up a mailserver. I got it working with postfix, now trying the same configuration with Exim. How can I force a client to take up only STARTTLS connection for SMTP outgoing connection? I followed the instructions in this question.

Require STARTTLS for sending email in exim

My config looks now as following 

MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTIFICATE = /etc/ssl/certs/ssl-cert-snakeoil.pem
MAIN_TLS_PRIVATEKEY = /etc/ssl/private/ssl-cert-snakeoil.key

.ifdef MAIN_TLS_ENABLE
# Defines what hosts to 'advertise' STARTTLS functionality to. The
# default, *, will advertise to all hosts that connect with EHLO.
.ifndef MAIN_TLS_ADVERTISE_HOSTS
MAIN_TLS_ADVERTISE_HOSTS = *
.endif
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS

auth_advertise_hosts = ${if eq{$tls_in_cipher}{}{}{*}}

Restarted Exim, no errors.
Then I ran some tests in http://checktls.com/

The TestSender passed, I could send email under secure communication. But TestSenderAssureTLS failed, the website could negotiate an unencrypted communication.

What am I missing?

When I create an account with Thunderbird, it autodetects an unsecure SMTP channel, not one with STARTTLS. Setting up the account and sending email succeeds. However, when I make an SMTP conversation from the shell of a computer in the network, no authentication is advertised. It looks as follows:

EHLO <subdomain>.<domain>
250-betelgeuse Hello <subdomain>.<domain> [10.0.14.34]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
AUTH LOGIN
503 AUTH command used when not advertised

Could somebody point me to what I am missing, how I can make better tests?
On a related topic, how I can advertise the configuration I wish to the clients doing autdetect?
Thank you.

Best Answer

A STARTTLS connection needs to start unsecured. The STARTTLS option is not advertised until after the first EHLO command. If you want to enforce STARTTLS you will need to add or modify an ACL. I published the Email Policy I apply.

If this server is your MX, you should not enforce STARTTLS on all connections. My configuration requires STARTTLS for connections requiring AUTH. This does not include connections from my LAN, but does apply to users sending email from my server while roaming. I also require authentication occurs on the submission port. This is the basics of the ACL I use.

# This access control list is used after an auth command.
acl_local_auth:

# Deny authentication on unencrypted links
deny
  !encrypted = *
  message = AUTH encryption is required

# Deny if AUTH isn't on submission port (autolist enabled)
deny
   !condition = ${if eq {$interface_port}{587}}
   message = AUTH requires submission port

# Accept if encrypted (should not get here if unencrypted)
accept
  encrypted = *

# Default deny deny message = AUTH not accepted

You could also enforce TLS in a mail ACL. This ACL allows external senders to send mail in. 

# This access control list is used for every MAIL FROM command in an
# incoming SMTP message. 
acl_local_mail_from:

# Accept if locally trusted hosts
accept
  hosts = : +relay_from_hosts

# Accept if authenticated
## May want to check domain is local
accept
  authenticated = *

# Accept the null sender - bounce messages and receipts
accept
  senders = :

# Accept if not local domain - recipient ACL will handle relaying
# More checks on sender in recipient ACL.
accept
  !hosts = : +relay_from_hosts
  !sender_domains = +local_domains

# Default deny
deny
  message = $sender_address is not authorized to send email on this connection.

You should consider using defer instead of deny while testing the ACLs. The ACLs are enabled by adding acl statements to the main section of the configuration, and the above ACLs to the ACL section.

acl_smtp_auth = acl_local_auth acl_smtp_mail = acl_local_mail_from

Related Topic