Re: [Exim] restricting AUTH Plain/Login to TLS connectionsy

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Matthew Byng-Maddick
Date:  
À: exim-users
Sujet: Re: [Exim] restricting AUTH Plain/Login to TLS connectionsy
On Wed, Jan 08, 2003 at 05:52:29PM +0000, Matt Bernstein wrote:
> Not quite--iff the client cert verifies, the client can issue "AUTH
> EXTERNAL" with an optional username (=CN of the client cert IIRC) but no
> password.


ewwwwwwwwww. That's horrid.

> It's relatively cosmetic, allowing "P=asmtp A=external:my.client.cert" in

^^^^^^^^^^^^^^^^^^^^^^^^
mainly because of that

Thing is, it's cosmetic for your server logs, I'll agree, but for your client,
and what the "AUTH" means, it's pretty horrid, IMO.

> your logs so something which might otherwise look like unwanted relaying
> is explicable.


You mean you don't find something like:
[wrapped for clarity]
| 2003-01-08 18:00:04 18WKUl-0001JF-00 <= mbm@???
| H=dsl-212-23-14-8.zen.co.uk (asterisk.semi.colondot.net) [212.23.14.8]
| I=[193.201.200.72]:25 P=esmtp X=TLSv1:EDH-RSA-DES-CBC3-SHA:168
| DN="/C=UK/ST=LONDON/O=semi.colondot.net/CN=asterisk.semi.colondot.net"
| S=694 id=20030108175936.GA1584@???


enough? The DN= only appears to come up when it's been verified as being
correct (ie, it's in my allowed CA list). For me, that's a good enough
indicator.

MBM

--
Matthew Byng-Maddick         <mbm@???>           http://colondot.net/