Re: [Exim] restricting AUTH Plain/Login to TLS connectionsy

Top Page
Delete this message
Reply to this message
Author: Matt Bernstein
Date:  
To: Giuliano Gavazzi
CC: exim-users
Subject: Re: [Exim] restricting AUTH Plain/Login to TLS connectionsy
At 17:20 -0000 Giuliano Gavazzi wrote:

>>Great! This will help with my AUTH EXTERNAL idea:
>>
>>The server can advertise the EXTERNAL mechanism (using the plaintext
>>authenticator) iff it has succesfully verified a client certificate.
>
>wow, you *are* strict! You verify a client certificate *and* require
>authentication. Or perhaps you did not mean client certificate?


Not quite--iff the client cert verifies, the client can issue "AUTH
EXTERNAL" with an optional username (=CN of the client cert IIRC) but no
password.

It's relatively cosmetic, allowing "P=asmtp A=external:my.client.cert" in
your logs so something which might otherwise look like unwanted relaying
is explicable.

Matt

PS: 193.112.138.70 is in ORDB; see http://ordb.org/ :)