Re: [Exim] restricting AUTH Plain/Login to TLS connectionsy

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Giuliano Gavazzi
Date:  
À: Nico Erfurth, Matt Bernstein
CC: exim-users
Sujet: Re: [Exim] restricting AUTH Plain/Login to TLS connectionsy
At 23:50 +0100 2003/01/08, Nico Erfurth wrote:
>Matt Bernstein wrote:
>>>This is good but also restrict the choice of client software, unless
>>>these users are only other servers...
>>
>>
>>One application we have for such certificates is for our users who run
>>MTAs at home. Stick something like the following very near the top of your
>>RCPT ACL, and all your users' mails can be relayed through your virus
>>scanner (and what other "policies" one may have :)
>>
>># for MUAs
>>
>> accept authenticated = *
>>
>># for MTAs
>>
>>   accept  encrypted = *
>>           verify = certificate

>>
>>Another application is for off-site backup MXes.
>>
>>    "Send me a client cert I like and I won't bother doing my evil
>>    RBL/fake-Hotmail/etc.. tests on you."

>>
>>Maybe an RBL to bypass local_scan() too (or choose which ones to invoke
>>and which ones to skip, if they're going to be DSOs) would be nice in the
>>long term. The system load on our (primary) mailer goes nuts after a
>>network outage ;)
>
>I would really like to see some kind of howto for this, how too use
>root/server/user certificates with exim, and maybe other software.
>
>Any pointers?
>
>ciao


I have all the instructions for openssl to create a CA and generate
all the certificates/keys you like. I also know how to setup
imapd/ipopd to use the proper certs (and if you like apache too, that
it where is all started for me).
I have to put this sooner or later on my web site (perhaps in a
restricted area...) for my perusal, but I can send you a very
primitive draft, if that is what you were looking for.
Ah, and I know how to make the root certs available to all keychain
apps in MacOS9/X. I am not sure how to do that on plain unix, but I
guess for all openssl based apps it can be done.
For exim you clearly know how to.

What I do not know is how to use client certs, but simply because I
do not know of any mac client that can send them.

g

--
H U M P H
    || |||
  software


Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/