Exim Logging Port and Plaintext Connections

Posted on May 23, 2025

DirectAdmin recently has enforced stricter rules for sending mail (changelog).

The long story short is that starting with the DirectAdmin version 1.676:

  • Port 25 cannot be used for the mail submission. It’s dedicated for server to server comunication.
  • Authentication via port 587 works only when using StartTLS.

The changelog also provides a way to revert the full or partial functionality to the previous one in case the impact is bigger than expected.

However, the change is strongly adviced. But before jumping to the stricter mode, you may want to collect some stats to visualize how much users are actually using the forbidden settings.

Gathering stats

  • Get plaintext authenticated users:
1

grep P=esmtpa /var/log/exim/mainlog | grep -F -v -e ' [::1] ' -e ' [127.0.0.1] '

The P= keywords are described in rfc3848

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

   o  The new keyword "ESMTPA" indicates the use of ESMTP when the SMTP
      AUTH [3] extension is also used and authentication is successfully
      achieved.

   o  The new keyword "ESMTPS" indicates the use of ESMTP when STARTTLS
      [1] is also successfully negotiated to provide a strong transport
      encryption layer.a

   o  The new keyword "ESMTPSA" indicates the use of ESMTP when both
      STARTTLS and SMTP AUTH are successfully negotiated (the
      combination of ESMTPS and ESMTPA).
  • To get all the users that authenticated using 25 port (requires exim.conf mod):
1

grep 'I=[^ ]*:25\s.*P=esmtps\?a' /var/log/exim/mainlog

exim.conf modification for port logging

Customisation of exim.conf by appending the +incoming_interface setting to the log_selector variable.

After adding the setting it should look like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

log_selector = \
  +incoming_interface \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery \
  +arguments

Note: You may want to copy the config to /usr/local/directadmin/custombuild/custom/exim/ in case you want to be persistent.