Re: [Exim] tls certificate verification

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Matt Bernstein
Date:  
À: exim-users
Sujet: Re: [Exim] tls certificate verification
At 10:21 +0100 Philip Hazel wrote:

>On Tue, 10 Sep 2002, Matt Bernstein wrote:
>
>> This could be a job for AUTH EXTERNAL (see my post from Aug 17), but I
>> haven't the time to code it, it didn't make to the wish list, and I'm sure
>> Philip has plenty of other things to worry about just now.
>
>Didn't I come to the conclusion that you could configure the plaintext
>authenticator to support AUTH EXTERNAL? Ah yes, I wrote:
>
>"My guess (though I haven't worked it through) is that you could
>configure Exim's plaintext authenticator to do this for you. It can
>handle any number of data items (in this case 1), and it can test for
>whether the session is encrypted or not."


Sorry for being so dense, but I don't see how this would work as a client.
[ time passes.. ]

Would you have to say client_send = : or maybe client_send = ^ ?
Maybe it's "client_send = : :" (This means send nothing with the AUTH
EXTERNAL, then nothing to the 334 prompt.)

OK.. give that a whirl.. [ more time passes.. ]

Ahhh.. I've just found a bug in Exim (but it's not in the AUTH code). If
Exim does a STARTTLS in an LMTP conversation, it negotiates OK (haven't
yet checked the cert bit, but I'm sure it's OK), but then says EHLO
instead of LHLO. [ a little more time.. ] Obvious fix:

--- smtp.c~     Mon Jul 22 09:59:51 2002
+++ smtp.c      Tue Sep 10 13:16:45 2002
@@ -893,7 +893,8 @@


 if (tls_active >= 0)
   {
-  if (!smtp_write_command(&outblock, FALSE, "EHLO %s\r\n", helo_data))
+  if (!smtp_write_command(&outblock, FALSE, "%s %s\r\n", lmtp? "LHLO" : "EHLO",
+        helo_data))
     goto SEND_FAILED;
   if (!smtp_read_response(&inblock, buffer, sizeof(buffer), '2',
        ob->command_timeout))


..and now I discover that Cyrus won't offer AUTH EXTERNAL after we've done
STARTTLS. Still, at least I've fixed a bug.. is that penance enough?

Matt