How can I configure Exim to drop non-authenticated connections on alternate SMTP port?
Solution 1:
We use the following rules in acl_check_rcpt, but I suspect they would work better in acl_check_helo
deny
condition = ${if and{{eq{$interface_port}{587}} {eq{$tls_cipher}{}} } }
message = All port 587 connections must use TLS
deny condition = ${if eq{$interface_port}{587}}
!authenticated = *
message = All port 587 connections must be Authenticated
Obviously you only want the second of the two rules, but the first shows how to reject non-TLS connections. You may want to think about disallowing plaintext authentication methods if you aren't going to enforce TLS.