The Exim configuration is updated to not allow users to perform SMTP authentication on TCP port 25. This means email clients will not be able to use port 25 for sending emails. TCP port 25 will be exclusively used for communication between mail servers, and clients will have to use 587 or 465 ports.<\/p>\n\n\n\n
The motivation for this change is to completely separate the mail server-to-server (MTA-to-MTA) communications from client-to-server (MUA-to-MTA) communications. This makes it easier to harden the email submission security. For example:<\/p>\n\n\n\n
In addition to blocking SMTP authentication on port TCP 25, Exim will no longer allow SMTP authentication over plain-text connections. This change protects the clients from accidentally misconfiguring email applications to not use encrypted connections. Use of encryption is critical because SMTP authentication uses literal user passwords without any hashing. Accessing SMTP over plaintext at least once is enough for the user credentials to be stolen. There is an exception made to allow not using encryption for internal connections over This is a big change that might affect servers and clients that relied on authentication always being available. This feature is implemented in a way to allow server administrators to restore the old behaviour in a simple way.<\/p>\n\n\n\n The authentication availability on SMTP ports is controlled by the The policy can be changed by setting it to a different value in the Examples:<\/p>\n\n\n\n Note:<\/strong> It is highly recommended to use the new default SMTP authentication policy. The mechanism to revert to the old policy should only be used temporarily until all the clients are reconfigured to use SMTP submission ports (587 or 465) and encryption.<\/p>\n\n\n\n \u203c\ufe0f Block SMTP authentication on port 25 and plain-text connections improved The Exim configuration is updated to not allow users to perform SMTP authentication on TCP port 25. This means email clients will not be able to use port 25 for sending emails. TCP port 25 will be exclusively used for communication between mail servers, and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1662","post","type-post","status-publish","format-standard","hentry","category-kategerisiz"],"_links":{"self":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/1662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/comments?post=1662"}],"version-history":[{"count":1,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/1662\/revisions"}],"predecessor-version":[{"id":1663,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/1662\/revisions\/1663"}],"wp:attachment":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/media?parent=1662"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/categories?post=1662"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/tags?post=1662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}localhost<\/code>.<\/p>\n\n\n\nAUTH_ENABLE_CONDITION<\/code> macro in the \/etc\/exim.variables.conf<\/code> file. The new default policy is:<\/p>\n\n\n\nAUTH_ENABLE_CONDITION = ${if and { {!eq{$interface_port}{25}} { or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} } } }}\n<\/code><\/pre>\n\n\n\n\/etc\/exim.variables.conf.custom<\/code> file and rebuilding the Exim configuration with the da build exim_conf<\/code> command.<\/p>\n\n\n\n# Use old (insecure) SMTP authentication policy, authentication always available\nsed -i '\/^AUTH_ENABLE_CONDITION \/d' \/etc\/exim.variables.conf.custom\necho 'AUTH_ENABLE_CONDITION = yes' >> \/etc\/exim.variables.conf.custom\nda build exim_conf\n\n# Block SMTP authentication on plain-text connections, but allow it to work on all TCP ports\nsed -i '\/^AUTH_ENABLE_CONDITION \/d' \/etc\/exim.variables.conf.custom\necho 'AUTH_ENABLE_CONDITION = ${if or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} }}' >> \/etc\/exim.variables.conf.custom\nda build exim_conf\n\n# Block SMTP authentication on TCP port 25, but allow it on plain-text connections on on other ports\nsed -i '\/^AUTH_ENABLE_CONDITION \/d' \/etc\/exim.variables.conf.custom\necho 'AUTH_ENABLE_CONDITION = ${if !eq{$interface_port}{25}}' >> \/etc\/exim.variables.conf.custom\nda build exim_conf\n\n# Use the new (secure) DirectAdmin SMTP authentication policy\nsed -i '\/^AUTH_ENABLE_CONDITION \/d' \/etc\/exim.variables.conf.custom\nda build exim_conf\n<\/code><\/pre>\n\n\n\n#<\/a><\/h2>\n","protected":false},"excerpt":{"rendered":"