Re: [Exim] Exim 4 AUTH ACL

Top Page
Delete this message
Reply to this message
Author: Matt Bernstein
Date:  
To: exim-users
Subject: Re: [Exim] Exim 4 AUTH ACL
On Jan 11 Philip Hazel wrote:

>> lovely, but I want to require TLS for AUTH LOGIN and AUTH PLAIN (granted
>> it's a little late by then, but..), but to accept AUTH CRAM-MD5.
>
>Look in $smtp_command_argument. You can use a "condition" condition to
>test it. I'll try to make this fact a bit more prominent in the doc.


Lovely (as usual :), perhaps this sort of ACL might be a useful example:

# Do our best to prevent passwords being sent in clear text:
# ie require TLS for AUTH PLAIN or AUTH LOGIN but accept AUTH CRAM-MD5.
# If we advertise STARTTLS, clients shouldn't do the wrong thing
# by attempting an AUTH PLAIN with the password which we deny
# even though by then it's too late!

acl_check_auth:
accept encrypted = *

accept condition = ${if eq{${uc:$smtp_command_argument}}{CRAM-MD5}{yes}{no}}

deny message = TLS encryption (or CRAM-MD5) required for SMTP AUTH