Re: [exim] debugging 550 rejects 'after DATA' ?

Góra strony
Delete this message
Reply to this message
Autor: OpenMacNews
Data:  
Dla: exim-users
Temat: Re: [exim] debugging 550 rejects 'after DATA' ?
hi fred,

> | i'm fairly certain that's on purpose:
>
> I figured so.
>
> |     auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}


heh. never quite certain at that hour ...

> | the idea being, unless a sending client is using TLS, don't advertise anything ... hence
> | (eventually) 'enforcing' use of TLS, no?
>
> Maybe, but I thought the main issue is with allowing plain text AUTH
> mechanisms on an unencrypted connection, where they are vulnerable to
> sniffing.


yup. iiuc, that seems to be the most oft mentioned , 'main' issue ..

this is just my effort to feed my OCD daemons ...

i do not _think_ it's causing any problems _here_ tho, but it will get temporarily disabled
while figuring this out ...

> But that's not a problem with CRAM-MD5 mechanism, so it's also
> reasonable to use server_advertise_condition in the plain text
> authenticators to exclude them from the advertised list on
> unencrypted connections, allowing AUTH CRAM-MD5 to be used. That's
> what I would do, anyway...


yup. already there:

sasl_plain:
    driver                   = cyrus_sasl
    server_set_id            = $1
    public_name              = PLAIN
    server_service           = smtp
    server_hostname          = $primary_hostname
    server_realm             = $primary_hostname
    server_advertise_condition = ${if !eq\
                                   {}\
                                   {$tls_cipher}\
                                  }


cheers,

richard
- --

/"\
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments

[GPG] OpenMacNews
fingerprint: 3F07 3CFD 138A FD91 A4A6 1840 1A7A 8CCB 882F 67A1