Port 25 without encryption

GabrielPL · September 13, 2023, 5:30pm

hello
I am trying to configure an SMTP email client on port 25 but it does not work if I put some encryption on it.

In previous versions it was possible.

Have you made any changes?
I can’t use 25 without encryption?
regards

sahsanu · September 13, 2023, 6:20pm

Hello @GabrielPL,

Yes, there was a change to allow auth only on localhost and TLS connections:

github.com/hestiacp/hestiacp

Enhancement/exim advertise auth only on localhost and tls connections

hestiacp:main ← sahsanu:enhancement/Exim-Advertise-AUTH-only-on-localhost-and-TLS-connections

opened 04:56PM - 17 Aug 23 UTC

sahsanu

+36 -0

Right now, HestiaCP only provides out of the box auth login and auth plain autho…rization mechanisms to Exim. That means that if you connect to port 25 or port 587, the user will be able to use AUTH LOGIN or AUTH PLAIN to authenticate against the mail server and the password will be send in cleartext over the net. With this PR, Exim will only advertise AUTH mechanism if you connect to it to localhost or the connection is already a TLS connection (after STARTTLS on ports 25 and 587 or implicit TLS on port 465).

You shouldn’t, your passwords will be sent in clear text over the net. If you know your client ip and it isn’t a dynamic ip you could add it to auth_advertise_hosts directive in /etc/exim4/exim4 conf.template

auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}

If you want to add ip 203.0.113.1:

auth_advertise_hosts = localhost : 203.0.113.1 : ${if eq{$tls_in_cipher}{}{}{*}}

You could also remove directive auth_advertise_hosts completely and you will be able to use auth on ports 25 and 587 without using a tls connection (I wouldn’t do it).

Cheers,
sahsanu

GabrielPL · September 13, 2023, 7:21pm

Thanks!!!