Autor: James P Roberts Data: Dla: Wakko Warner CC: Exim Users Temat: Re: [Exim] Outlook Express 6 is not authenticating TLS smtp sessions
----- Original Message -----
From: "Wakko Warner" <wakko@???>
To: "James P Roberts" <punster@???>
Cc: "Exim Users" <exim-users@???>
> > >
> > > I am trying to require TLS before any authentication can happen. When I > > > try to put 'server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}' > > > in the login and cram_md5 blocks (as it has been in my plain_saslauthd
> > > block), exim no longer appears to advertise any of the auth types, not
> > > even 'AUTH' which was advertised before.
> >
> > Marques,
> > it will authenticate as soon as it sees AUTH LOGIN, in preference to
> > STARTTLS. (Who codes for M$ anyway?!?!? Sheeesh) The trick is to
> > advertise things to OE in a certain order. The first EHLO should advert
> > STARTTLS but *not* AUTH, the 2nd EHLO (after TLS starts) must advert AUTH. > > The way I do this is:
>
> I'm not sure on this. The only outlook I've tested with is 2000. I have
> tried a few things with OE6, but it's been a while. I was trying to use ssl > certs as the means to control relaying. Unfortunately oe6, outlook 2000,
> outlook xp won't send a client cert to the server
>
> I successfully configured LOGIN (for outlook), PLAIN (netscape), CRAM-MD5
> (not actually used) and SPA (outlook).
>
Well, the version I tested with was OE 6, specifically. I actually went to
the effort of tracing the packets to see what was happening. And, as
Marques saw, if OE 6 sees both STARTTLS and AUTH adverts, and you tell it it
needs to authenticate, it WILL ignore the STARTTLS and try to authenticate
first. Which doesn't work *if* you *require* encrypted connection before
auth. So, you have to trick OE 6 into doing it in the right order, by not
advertising AUTH until you have established a secure connection. This is
not a terribly bad thing, anyway, since it does agree with what you want
clients to do with your server:
If connection is unencrypted, advertise STARTTLS, but not AUTH.
If connection *is* encrypted, advertise AUTH (but not STARTTLS, come to
think of it?)
Alternatively, a different port instead of 25. OE 6 (and others) will use
SMTPS instead of TLS on any port other than 25, which is encrypted from the
get-go, BUT, you need something SMTPS-enabled listening on that port. I
suggest the registered "smtps" port, which is different from the
"submission" port (which can then be used for non-M$-brain-damaged clients).
See online docs and/or list archives for details on how to use Exim to do
this. (Stunnel is another option here, but it's cleaner to use a second
instance of Exim.)