Re: [exim] Secure authentication and tls_on_connect

Top Page
Delete this message
Reply to this message
Author: Mark Edwards
Date:  
To: exim-users
Subject: Re: [exim] Secure authentication and tls_on_connect
> On Tue, 6 Dec 2005 18:19:44 -0800, Mark Edwards
> <mark@xxxxxxxxxxxxxxxxx> wrote:
> >I want to set up authentication in exim so that users may only
> >authenticate securely, to eliminate the possibility of passwords
> >being passed in the clear. To this end, I have added the recommended
> >line to my authenticators:
> >
> > server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
> >
> >Works great, except it breaks Outlook Express Mac, which uses the
> >tls_on_connect functionality. Outlook works fine if the LOGIN
> >authenticator has no server_advertise_condition set, but breaks
> >otherwise, claiming the server doesn't support authentication.
> >Unfortunately, if I remove server_advertise_condition from from my
> >LOGIN authenticator, other clients can then be set to authenticate in
> >the clear, which I do not want.
> >
> >Can anyone suggest a way to allow Outlook Express Mac clients to
> >connect without offering the possibility of any unencrypted logins?
>
> As Stephen says correctly, OjE doesn't do STARTTLS, so you need to run
> a tls on connect server on port 465. Additionally, you might need to
> fake the AUTH prompt since OjE breaks the RfCs in so many different
> ways.
>
> http://www.exim.org/eximwiki/AuthenticatedSmtpForBrokenClients
>
> might help here.
>
> Greetings
> Marc


Getting back to this thread...

Nobody has really understood my question, I think. I do have a tls
on connect server on port 465. It works great, as long as the OE Mac
client is set to port 465. However, in the default setting, if you
simply choose "This server requires secure authentication" OE Mac
seems to do its normal routine of checking on 25 to see if LOGIN
authentication is offered, and then switches to 465 to do tls on
connect. If I don't have LOGIN offered on 25, OE Mac fails
outright. I don't want to offer LOGIN on 25 without encryption. OE
Mac doesn't support STARTTLS.

Do you see the problem? If I don't offer LOGIN on 25 without
encryption, OE Mac will not work, unless it is specifically set to
use 465. At this point, I think I'm stuck. I'd rather not offer
unencrypted authentication than pander to OE Mac clients, so I'm just
going to require OE Mac clients to specify 465.

That is, unless anyone has any way around this catch-22.

I tried the "broken clients" link above, and that only seems to be
geared towards OE 4 Windows. OE Mac doesn't recognize it at all.
The two appear to be rather different in their non-standardness.

Thanks!

--
Mark Edwards