On 10 Oct 2005 at 0:26, OpenMacNews wrote about
"Re: [exim] debugging 550 rejects 'a":
|...
| (I wrote:)
| > Also of interest, you don't advertise SMTP AUTH in an unencrypted
| > session, even though you support CRAM-MD5. So the non-TLS session
| > isn't authenticated either.
|
| i'm fairly certain that's on purpose:
I figured so.
| auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
|
| the idea being, unless a sending client is using TLS, don't advertise anything ... hence
| (eventually) 'enforcing' use of TLS, no?
Maybe, but I thought the main issue is with allowing plain text AUTH
mechanisms on an unencrypted connection, where they are vulnerable to
sniffing.
But that's not a problem with CRAM-MD5 mechanism, so it's also
reasonable to use server_advertise_condition in the plain text
authenticators to exclude them from the advertised list on
unencrypted connections, allowing AUTH CRAM-MD5 to be used. That's
what I would do, anyway...
- Fred
