Author: Matt Bernstein Date: To: exim-users Subject: Re: [Exim] restricting AUTH Plain/Login to TLS connectionsy
At 14:15 -0000 Philip Hazel wrote:
>What I have actually put on the Wish List is this:
>
>------------------------------------------------------------------------------
>(128) 08-Jan-03 S A condition for authenticators controlling advertising
>
>An authenticator would be advertised only if the condition is true. The same
>condition needs to be checked when searching for a requested authenticator, to
>ensure that only advertised authenticators can be used. Or set a flag to show
>that advertisement has happened.
>------------------------------------------------------------------------------
Great! This will help with my AUTH EXTERNAL idea:
The server can advertise the EXTERNAL mechanism (using the plaintext
authenticator) iff it has succesfully verified a client certificate.
The other bit we need is a similar hack for the Exim client auth code, so
that we can tell it which hosts to use with which mechanisms (and, more
importantly, it doesn't try sending passwords from the wrong mechanisms to
the wrong hosts). I don't see an obvious solution to the client fix
though.