hi fred,
> | i'm fairly certain that's on purpose:
>
> I figured so.
>
> | auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
heh. never quite certain at that hour ...
> | the idea being, unless a sending client is using TLS, don't advertise anything ... hence
> | (eventually) 'enforcing' use of TLS, no?
>
> Maybe, but I thought the main issue is with allowing plain text AUTH
> mechanisms on an unencrypted connection, where they are vulnerable to
> sniffing.
yup. iiuc, that seems to be the most oft mentioned , 'main' issue ..
this is just my effort to feed my OCD daemons ...
i do not _think_ it's causing any problems _here_ tho, but it will get temporarily disabled
while figuring this out ...
> But that's not a problem with CRAM-MD5 mechanism, so it's also
> reasonable to use server_advertise_condition in the plain text
> authenticators to exclude them from the advertised list on
> unencrypted connections, allowing AUTH CRAM-MD5 to be used. That's
> what I would do, anyway...
yup. already there:
sasl_plain:
driver = cyrus_sasl
server_set_id = $1
public_name = PLAIN
server_service = smtp
server_hostname = $primary_hostname
server_realm = $primary_hostname
server_advertise_condition = ${if !eq\
{}\
{$tls_cipher}\
}
cheers,
richard
- --
/"\
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews
fingerprint: 3F07 3CFD 138A FD91 A4A6 1840 1A7A 8CCB 882F 67A1
