----- Original Message -----
From: "Marques Johansson" <exim@???>
To: "Wakko Warner" <wakko@???>
Cc: "Exim Users" <exim-users@???>
Sent: Monday, May 24, 2004 11:57 PM
Subject: Re: [Exim] Outlook Express 6 is not authenticating TLS smtp
sessions
> Wakko Warner wrote:
>
> >These IIRC use AUTH PLAIN. Outlook uses LOGIN and SPA
> >You don't have LOGIN there, outlook won't use PLAIN.
> >
> >
> Thanks. After adding the following to
> /etc/exim4/conf.d/auth/30_exim4-config_examples, OE6 was able to relay
> via LOGIN.
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
> server_set_id = $1
>
> cram_md5:
> driver = cram_md5
> public_name = CRAM-MD5
> server_secret = ${if saslauthd{{$1}{$2}}{1}{0}}
> server_set_id = $1
>
> SMTP: 23:21:59 [rx] 220 poe.websilo.com ESMTP Exim 4.32 Mon, 24 May 2004
> 23:24:47 -0400
> SMTP: 23:21:59 [tx] EHLO ENGAGE
> SMTP: 23:21:59 [rx] 250-poe.websilo.com Hello
> pcp04134917pcs.maysld01.nj.comcast.net [68.44.183.109]
> SMTP: 23:21:59 [rx] 250-SIZE 52428800
> SMTP: 23:21:59 [rx] 250-PIPELINING
> SMTP: 23:21:59 [rx] 250-AUTH LOGIN CRAM-MD5
> SMTP: 23:21:59 [rx] 250-STARTTLS
> SMTP: 23:21:59 [rx] 250 HELP
> SMTP: 23:21:59 [tx] AUTH LOGIN
> SMTP: 23:21:59 [rx] 334 blahblah
> SMTP: 23:21:59 [tx] blarblar
> SMTP: 23:21:59 [rx] 334 blueblue
> SMTP: 23:21:59 [tx] bleeblee
> SMTP: 23:21:59 [rx] 235 Authentication succeeded
> SMTP: 23:21:59 [tx] MAIL FROM: xxx
> SMTP: 23:21:59 [rx] 250 OK
> SMTP: 23:21:59 [tx] RCPT TO: xxx
> SMTP: 23:21:59 [rx] 250 Accepted
>
>
> Notice how OE6 didn't bother to STARTTLS?
>
> I am trying to require TLS before any authentication can happen. When I
> try to put 'server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}'
> in the login and cram_md5 blocks (as it has been in my plain_saslauthd
> block), exim no longer appears to advertise any of the auth types, not
> even 'AUTH' which was advertised before.
Marques,
I ran into this same problem with OE. If you check "auth required" in OE,
it will authenticate as soon as it sees AUTH LOGIN, in preference to
STARTTLS. (Who codes for M$ anyway?!?!? Sheeesh) The trick is to
advertise things to OE in a certain order. The first EHLO should advert
STARTTLS but *not* AUTH, the 2nd EHLO (after TLS starts) must advert AUTH.
The way I do this is:
in the main section:
tls_advertise_hosts = *
auth_advertise_hosts = ${if eq{$tls_cipher}{}{127.0.0.1}{*}}
in acl_smtp_rcpt:
accept authenticated = *
in acl_smtp_auth :
accept encrypted = *
accept hosts = 127.0.0.1
deny message = TLS encryption required before AUTH
(The theory here being, if a message is coming from localhost, there is no
need to require encryption, since it's not going over a network.)
YMMV
Regards,
Jim Roberts
Punster Productions, Inc.