At 20:02 +0000 2003/01/03, Sven Geggus wrote:
>Hi there,
>
>is it possible to do restrict the AUTH Plain/Login mechanism to TLS
>encrypted connections?
>
>The reason is that it should not work to use insecure SMTP-auth without
>starttls.
>
spec.txt under auth_advertise_hosts says
If you want to advertise the availability of AUTH only when the
the |
connection is encrypted using TLS, you can make use of the fact
that the |
value of this option is expanded, with a setting like this:
|
|
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
|
|
If $tls_cipher is empty, the session is not encrypted, and the
result of |
the expansion is empty, thus matching no hosts. Otherwise, the
result of |
the expansion is *, which matches all hosts.
|
also you might want an after the fact caution that I found somewhere
in the docs:
# it insists that either the session is encrypted, or the CRAM-MD5
# authentication method is used. In other words, it does not permit
# authentication methods that use cleartext passwords on unencrypted
# connections.
acl_check_auth:
accept encrypted = *
accept condition = ${if eq{${uc:$smtp_command_argument}}\
{CRAM-MD5}{yes}{no}}
deny message = TLS encryption or CRAM-MD5 required
Giuliano
--
H U M P H
|| |||
software
Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/