Re: [Exim] restricting AUTH Plain/Login to TLS connections

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Giuliano Gavazzi
Date:  
À: Sven Geggus, exim-users
Sujet: Re: [Exim] restricting AUTH Plain/Login to TLS connections
At 20:02 +0000 2003/01/03, Sven Geggus wrote:
>Hi there,
>
>is it possible to do restrict the AUTH Plain/Login mechanism to TLS
>encrypted connections?
>
>The reason is that it should not work to use insecure SMTP-auth without
>starttls.
>


spec.txt under auth_advertise_hosts says

     If you want to advertise the availability of AUTH only when the
the        |
     connection is encrypted using TLS, you can make use of the fact
that the   |
     value of this option is expanded, with a setting like this:
|


|
       auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
|


|
     If $tls_cipher is empty, the session is not encrypted, and the
result of   |
     the expansion is empty, thus matching no hosts. Otherwise, the
result of   |
     the expansion is *, which matches all hosts.
|



also you might want an after the fact caution that I found somewhere
in the docs:

# it insists that either the session is encrypted, or the CRAM-MD5
# authentication method is used. In other words, it does not permit
# authentication methods that use cleartext passwords on unencrypted
# connections.
acl_check_auth:
     accept encrypted = *
     accept condition = ${if eq{${uc:$smtp_command_argument}}\
                         {CRAM-MD5}{yes}{no}}
     deny   message   = TLS encryption or CRAM-MD5 required




Giuliano
--
H U M P H
    || |||
  software


Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/