Author: Mark Baker Date: To: Francesco Bochicchio, 67585 CC: exim-users Subject: [Exim] Re: Bug#67585: Authentication info in exim.conf available to all local users
On Sat, Jul 22, 2000 at 03:34:30PM -0700, Francesco Bochicchio wrote:
> If I put SMTP authentication info in exim.conf ( e.g. user id and password
> to be used to relay mail to a 'smarthost' ), this information is available
> to every local user via the command '/usr/sbin/exim -bP
> authenticators_list'.
(Of course, normally they can see it just by reading exim.conf; I assume
you've changed the permissions so they can't do that.)
> This command should be only availabe to 'exim administrator'
That would have to apply to any use of -bP really. I don't like that idea
much: I think users should be able to see how exim is configured.
I don't really understand how to use authentication, but I'm pretty sure you
can put your secrets in a separate file rather than directly in exim.conf,
and then there would be no way for another user to see it. I would recommend
doing it that way.
> (maybe to 'thrusted users' too).
Trusted users are nothing to do with this: they are users who are allowed to
set their envelope sender to anything they like. Mostly they're system users
rather than people, so allowing them to view the configuration would be
pointless.
> [BTW : I noticed that eximconf does not handle the authentication section
> of exim.conf ]
I know. I intend to make it output a sample authenticators section, but
leave it commented out and not do anything to customise it for you.
> I looked to the exim site but I didn't find where to file a bug report (I
> decided not to send it to the user mailing list).
Either direct to the author, or to the mailing list.