Re: [exim] debugging 550 rejects 'after DATA' ?

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Fred Viles
Data:  
Para: exim-users
Asunto: Re: [exim] debugging 550 rejects 'after DATA' ?
On 10 Oct 2005 at 0:26, OpenMacNews wrote about
    "Re: [exim] debugging 550 rejects 'a":


|...
| (I wrote:)
| > Also of interest, you don't advertise SMTP AUTH in an unencrypted
| > session, even though you support CRAM-MD5. So the non-TLS session
| > isn't authenticated either.
|
| i'm fairly certain that's on purpose:


I figured so.

|     auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
| 
| the idea being, unless a sending client is using TLS, don't advertise anything ... hence
| (eventually) 'enforcing' use of TLS, no?


Maybe, but I thought the main issue is with allowing plain text AUTH
mechanisms on an unencrypted connection, where they are vulnerable to
sniffing.

But that's not a problem with CRAM-MD5 mechanism, so it's also
reasonable to use server_advertise_condition in the plain text
authenticators to exclude them from the advertised list on
unencrypted connections, allowing AUTH CRAM-MD5 to be used. That's
what I would do, anyway...

- Fred