Re: [Exim] restricting AUTH Plain/Login to TLS connections

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Nico Erfurth
Date:  
À: exim-users
CC: Sven Geggus
Nouveaux-sujets: Re: [Exim] restricting AUTH Plain/Login to TLS connectionsy
Sujet: Re: [Exim] restricting AUTH Plain/Login to TLS connections
Philip Hazel wrote:

>>You have to advertise all or nothing, but maybe this should be
>>configureable in the authenticator (this COULD also make the
>>auth_advertise_hosts option obsolete).
>
>
> That is correct.
>
> I have noted this requirement in the Wish List. However, it isn't as
> simple as just specifing what to advertise, because Exim should only
> accept back requests for advertised mechanisms. This is quite a lot of
> complication.


Why?
IMHO, you need to loop through the authenticators anyway, to find the
requested authenticator, so checking the condition again and skipping if
it yields false shouldn't be a problem (around line 1793 in my version
of smtp_in.c). But I could be wrong, I just had a quick look ;)

The check for au == NULL should catch it if someone tries to use an
unadvertised mechanism.

> What you can do is to reject AUTH commands that don't use an approved
> mechanism in the ACL for AUTH. This may confuse the clients, of course.


Hmmm, do we have a variable to get the requested auth-scheme?

Especialy Netscape and Mozilla are very picky about the AUTH-part.

ciao