Re: [exim] mail.app and authentication

Inizio della pagina
Delete this message
Reply to this message
Autore: Philip Hazel
Data:  
To: Clive McDowell
CC: exim-users
Oggetto: Re: [exim] mail.app and authentication
On Fri, 3 Mar 2006, Clive McDowell wrote:

> we have a problem with mail.app and also kmail. Our site only advertises
> AUTH for IP addresses outside our domain for the reasons explained in the
> Exim book. For some reason mail.app and kmail will only authenticate
> correctly if AUTH is advertised. This happens over ports 25, 465 and 587.
> Both Thunderbird and Outlook seem to work OK without AUTH being advertised.
> Is this a problem with mail.app and kmail or is there something in Exim we
> can tweak to get this working?


The rules state that AUTH must be advertised before it can be used. The
whole point of advertising extensions is to stop clients trying to use
extensions that the server doesn't implement. It looks to me as though
mail.app and kmail are behaving impeccably in this regard. When you say
"seem to work OK" for Thunderbird and Outlook, what do you mean? My
hunch is that they are delivering just fine without every trying to
authenticate.

I'm not sure what your problem is. I presume you are talking about
clients all of whom are inside your domain. The point of not advertising
AUTH is to stop clients from even trying to authenticate (because you
are authenticating them by IP address, so they don't need to) so that
they don't unnecessarily ask users for passwords. If you want clients to
use AUTH inside your domain, then you should advertise it to them.
That's the Exim "tweak".

My guess is that mail.app and kmail are refusing to work without
authentication, whereas Thunderbird and Outlook are happy to do so.
Maybe there's some way of configuring them not to require it?

Having said all that, yesterday I implemented this new feature of Exim:

PH/17 The ACL modifier control=allow_auth_unadvertised can be used to
      permit a client host to use the SMTP AUTH command even when it has
      not been advertised in response to EHLO. Furthermore, because
      there are apparently some really broken clients that do this, Exim
      will even accept AUTH after HELO when this control is set. It
      should only be used if you really need it, and you should limit
      its use to those broken hosts that do not work without it. For
      example:


        warn hosts   = 192.168.34.25                                         
             control = allow_auth_unadvertised                                 


      This control is permitted only in the connection and HELO ACLs.


However, based on what you said above, I don't believe this will help
you, because I don't think your clients are broken, and I don't think
there's anything that could be done in Exim to help. Either it
advertises AUTH or it doesn't...

-- 
Philip Hazel            University of Cambridge Computing Service
Get the Exim 4 book:    http://www.uit.co.uk/exim-book