Email: How can I enforce secure client connections?

[IT_Architect]

I'm using Exim and Dovecot on the server. What I would like to do is force people to use secure e-mail. For Pop3 and and IMAP that's easy, just don't open them on the firewall and they will be forced to use Pop3s, and IMAPS. However, I don't know how to handle SMTP (25) and submission (587). If I block 25, then I would guess that I wouldn't get mail from other mail servers because if they couldn't connect on 25, they wouldn't try 465. So let's say I leave 25 open. Then how do I force e-mail clients to use submission(587) instead? Submission is a problem itself since it uses the same port for both secure and unsecure.

Thanks!

 

[nobaloney]

1) rewrite the entire SMTP specification.

2) get everyone else to use it.

There may be a way to use an ACL to block all authenticated smtp submissions on port 25; I don't know, and I don't know why you'd want to. I'm not going to spend my time to look, but there's a lot of exim stuff on the 'net. Or you can ask on the exim-users mailing list.

Jeff

 

[IT_Architect]

1) rewrite the entire SMTP specification.
2) get everyone else to use it.

There may be a way to use an ACL to block all authenticated smtp submissions on port 25; I don't know, and I don't know why you'd want to. I'm not going to spend my time to look, but there's a lot of exim stuff on the 'net. Or you can ask on the exim-users mailing list.
Jeff

Your reply makes no sense to me. There is no need to rewrite the SMTP specification. I'm not attempting to do anything that Google and Yahoo! doesn't already do. I did get some responses elsewhere, one on this site where people were engineering the same thing.http://www.directadmin.com/forum/archive/index.php/t-8627.html I stated why I would want to in my original post. The same reasons the Google and Yahoo! do. To prevent people from giving away their user names and passwords in unsecured wireless hot spots.

Thanks!

 

[nobaloney]

And I explained in my paragraph how I believe you can find the information you need to do it with exim. Perhaps my feelings over the insecurities built into the entire email spec got ahead of me; for that I apologize.

But I still don't see why blocking it on port 25 and allowing it on port 587 would solve anything; as you yourself point out, port 587 can be accessed insecurely as well.

Client education may be the best way to go.

Jeff

 

[IT_Architect]

Client education may be the best way to go.

Thanks for your reply. I think the best way is to make it "Murphy proof". Client education is what I do now. I'd like to duplicate the behavior of GMail. If I come up with clean method, I'll post it in a "How To".

Thanks!