Re: [exim] What's the best way to secure bothSMTPandPOPauth…

Top Page
Delete this message
Reply to this message
Author: jtelep
Date:  
To: W B Hacker
CC: exim-users
Old-Topics: Re: [exim] What's the best way to secure both SMTPandPOPauthentication?
Subject: Re: [exim] What's the best way to secure bothSMTPandPOPauthentication?
> jtelep@??? wrote:
>> Great, this helps so much. Thanks for your help Bill. So just for a
>> quick recap to be sure that I understand this correctly, once TLS is
>> enabled it handles all of encryption regarding SMTP traffic including
>> the
>> authentication. So I can use sasl-plain auth without being concerned
>> that
>> someone can "sniff" the user_id and password because the connection has
>> already been encrypted. Let me know if I am off base here at all.
>
> You need to ensure that you only allow PLAIN or LOGIN authentication on
> a TLS connection, otherwise a client could accidentally connect without
> TLS and send a password en-clair.
>
> This is usually done with:
>
> server_advertise_condition = ${if def:tls_cipher}
>
> in the authenticator definition.
>
> - Marc
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>

Yeah, what I had to do was (there were two places in the
/etc/exim4/exim4.conf.template file where "plain" authentication was an
option) comment out the first one that spoke only of 'plain' and then
uncomment out the second one that was called 'plain_saslauthd_server' and
that definition looked like this:

# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_set_id = $2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

That's the one I am using and I believe based on your example it contains
the correct authenticator definition. Does this sound/look right to you?

Thanks,

Jon