Re: [Exim] Outlook Express 6 is not authenticating TLS smtp …

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Marques Johansson
Date:  
À: Wakko Warner
CC: Exim Users
Sujet: Re: [Exim] Outlook Express 6 is not authenticating TLS smtp sessions
Wakko Warner wrote:

>These IIRC use AUTH PLAIN. Outlook uses LOGIN and SPA
>You don't have LOGIN there, outlook won't use PLAIN.
>
>

Thanks. After adding the following to
/etc/exim4/conf.d/auth/30_exim4-config_examples, OE6 was able to relay
via LOGIN.

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
server_set_id = $1

cram_md5:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${if saslauthd{{$1}{$2}}{1}{0}}
server_set_id = $1

SMTP: 23:21:59 [rx] 220 poe.websilo.com ESMTP Exim 4.32 Mon, 24 May 2004
23:24:47 -0400
SMTP: 23:21:59 [tx] EHLO ENGAGE
SMTP: 23:21:59 [rx] 250-poe.websilo.com Hello
pcp04134917pcs.maysld01.nj.comcast.net [68.44.183.109]
SMTP: 23:21:59 [rx] 250-SIZE 52428800
SMTP: 23:21:59 [rx] 250-PIPELINING
SMTP: 23:21:59 [rx] 250-AUTH LOGIN CRAM-MD5
SMTP: 23:21:59 [rx] 250-STARTTLS
SMTP: 23:21:59 [rx] 250 HELP
SMTP: 23:21:59 [tx] AUTH LOGIN
SMTP: 23:21:59 [rx] 334 blahblah
SMTP: 23:21:59 [tx] blarblar
SMTP: 23:21:59 [rx] 334 blueblue
SMTP: 23:21:59 [tx] bleeblee
SMTP: 23:21:59 [rx] 235 Authentication succeeded
SMTP: 23:21:59 [tx] MAIL FROM: xxx
SMTP: 23:21:59 [rx] 250 OK
SMTP: 23:21:59 [tx] RCPT TO: xxx
SMTP: 23:21:59 [rx] 250 Accepted


Notice how OE6 didn't bother to STARTTLS?

I am trying to require TLS before any authentication can happen. When I
try to put 'server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}'
in the login and cram_md5 blocks (as it has been in my plain_saslauthd
block), exim no longer appears to advertise any of the auth types, not
even 'AUTH' which was advertised before.

plain_saslauthd:
driver = plaintext
public_name = PLAIN
# don't send system passwords over unencrypted connections
server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_set_id = $2
server_prompts = :

SMTP: 23:29:28 [tx] EHLO ENGAGE
SMTP: 23:29:28 [rx] 250-poe.websilo.com Hello
pcp04134917pcs.maysld01.nj.comcast.net [68.44.183.109]
SMTP: 23:29:28 [rx] 250-SIZE 52428800
SMTP: 23:29:28 [rx] 250-PIPELINING
SMTP: 23:29:28 [rx] 250-STARTTLS
SMTP: 23:29:28 [rx] 250 HELP
SMTP: 23:29:28 [tx] MAIL FROM: ...
SMTP: 23:29:28 [rx] 250 OK
SMTP: 23:29:28 [tx] RCPT TO: ...
SMTP: 23:29:28 [rx] 550 relay not permitted


Is it possible to do SPA through sasl without a second password file?
Should exim not advertise AUTH LOGIN CRAM-MD5 until after the client
does STARTTLS under
my new configuration? Is OE just not wise enough to handle that?

I get the feeling that even if the advertisement is working correctly, Mike White, might be onto something with http://www.itweek.co.uk/News/1155304 which says Outlook doesn't do TLS right.

--
Marques Johansson
marques@???