I have been running HestiaCP v1.3.2 on Debian 10.6.
By default, exim offers the ability to use smtp authentication over port 25 unencrypted, i.e. the username/password combination of an email account are transmitted in plain text.
I would like to only offer the smtp-auth capability over TLS, not plain text.
To do this, I have modified /etc/exim/exim4.conf.template and added the following line
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
Is this something that other people would also like and find useful?
Could HestiaCP configure this out of the box?
Of course you support TLS out of the box, but you don’t make sure that credentials can only be transmitted over TLS, they can also be transmitted over plain text.
stsimb@tesla4:~$ telnet mail.hestiacp.com 25
Trying 116.203.78.202…
Connected to mail hestiacp com.
Escape character is ‘^]’.
220 web02 hestiacp com
ehlo test
250-web02 hestiacp com Hello
250-SIZE 52428800
250-8BITMIME
250-PIPELINING 250-AUTH PLAIN LOGIN
250-CHUNKING
250-STARTTLS
250 HELP
quit
221 web02 hestiacp com closing connection
Connection closed by foreign host.
By adding the line I mentioned above in exim4.conf.template, the SMTP AUTH capability will only be available over TLS (i.e. client must use STARTTLS or connect to port 465), which is encrypted.
The behaviour I want is
No AUTH capability offered on port 25 by default
stsimb@tesla4:~$ telnet potato.irc.gr 25
Trying 95.111.231.144…
Connected to potato.irc.gr.
Escape character is ‘^]’.
220 potato.irc.gr
ehlo test
250-potato.irc.gr Hello
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-STARTTLS
250 HELP