I have the following config in exim.cnf
daemon_smtp_ports = 25:465
######################## Exim TLS
tls_advertise_hosts = *
tls_on_connect_ports = 465
tls_certificate=/opt/ssl/certs/server.crt
tls_privatekey=/opt/ssl/certs/server.key
How to deny authentication on 25 port? Currently authentication is allowed on both ports 25 PLAIN, and 465 SSL.
The common solution is to advertise the AUTH only for those hosts having chosed STARTTLS after unencripted connection to the port 25:
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
After the STARTTLS command is performed and TLS connection is established the $tls_cipher variable for current session becomes non-empty. Client now is advertized that AUTH is allowed while session is secured by TLS and no plaintext passwords are passed over the unuencripted connection.
Sure you can disable AUTH advertizing completely by
auth_advertise_hosts =
but that is not the best choice.
