Re: [Exim] SMTP AUTH and SSL

Página Inicial
Delete this message
Reply to this message
Autor: Marc MERLIN
Data:  
Para: Dave C.
CC: exim-users
Assunto: Re: [Exim] SMTP AUTH and SSL
On Thu, Jul 27, 2000 at 03:43:59PM -0400, Dave C. wrote:
> I wouldnt bother. The odds of someone who wants to spam through your
> server, having access to sniff network traffic, and having the time and
> inclination to site there for days watching for passwords in the
> terabytes of traffic passing through, multiplied by the amount of
> damage they could do with one password, multiplied by the trouble it
> would take to change the password they managed to sniff...........


I'd agree here, but as I mentionned, those password are the main user
passwords, they can be used to get a shell login.
I do not care as much about spam relaying as someone sniffing a password and
using it to log into my network :-)

> Do you allow them to use POP from outside your network? Have you


Not for much longer. IMAP/SSL is there (as is POP/SSL) and plain POP will go
away real soon

> implented a working SSL solution there too? If not, then you already
> have passwords passing in direct plain text (not even BASE64 encoded)..


Actually netscape and WUPOP do BASE64 encode the pop login sequence.

> IMNSHO, SSL for SMTP relay (at least until the protocols are set in
> stone, and evey possible mail client implements them, correctly, and in
> a compatible manner), is simply not worth the hassle.


I thought about just using one master password to allow any user to relay
through the mail server with that password, but I believe netscape doesn't
let you specify one password for imap and a different one for SMTP AUTH,
thus I'm stuck with using user passwords, and I don't want those travelling
in plaintext :-)

> > I've found  on the web  that recent netscapes don't  talk to the  ssmtp port
> > (although I can  force them to do so by  specifying mailserver:465) but just
> > in case, I have stunnel listening on both ports:
> > root      4886  0.0  0.0  2588 1440 ?        S    01:05   0:00 /usr/sbin/stunnel -p /etc/ssl/certs/stunnel.pem -d smtp -l /usr/sbin/exim -- exim -C /etc/exim-ssl.conf -bs
> > root      4888  0.0  0.0  2432 1292 ?        S    01:05   0:00 /usr/sbin/stunnel -p /etc/ssl/certs/stunnel.pem -d ssmtp -l /usr/sbin/exim -- exim -C /etc/exim-ssl.conf -bs


In the meantime (after yet more searching), I found the well hidden solution
I was looking for:
/usr/local/bin/stunnel-3.8p4 -p /etc/ssl/certs/stunnel.pem -d ssmtp -P /var/run/stunnel.ssmtp.pid -n smtp -l /usr/sbin/exim -- exim -C /etc/exim-ssl.conf -bs

(the key is a more recent stunnel than what ships with debian, be it potato
or woody, sigh...)

It's still not perfect since exim loses the remote IP info when it's
launched by a wrapper, but it's better than nothing.
Hopefully, TLS support will be added in for good, just like in postfix and
sendmail.

Thanks,
Marc
--
Microsoft is to software what McDonalds is to gourmet cooking

Home page: http://marc.merlins.org/ (friendly to non IE browsers)
Finger marc_f@??? for PGP key and other contact information