Hello,
I would like to return to this topic:
As HestiaCP only provides out of the box auth login and auth plain for Exim authentication and those methods are basically to send the clear password over the net, it should be great that Exim only allows to use auth mechanism over TLS connections (after starttls on port 25 and 587 and of course on implicit TLS on port 465).
To add this option, we only need 1 line in /etc/exim4/exim4.conf.template :
Before:
[...]
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
never_users = root
[...]
After:
[...]
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}
never_users = root
[...]
Adding auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}} will only advertise AUTH mechanisms for localhost and for connections over TLS.
These days is not a good practice to allow users to be able to send their password in clear text over the net.
Maybe you have discussed it in another post or there are another reasons to do it this way.
Thank you.
Cheers,
sahsanu
