[exim-dev] [Bug 512] [PATCH] Let client authentication depen…

Inizio della pagina
Delete this message
Reply to this message
Autore: bug512
Data:  
To: exim-dev
Oggetto: [exim-dev] [Bug 512] [PATCH] Let client authentication depend upon TLS being present
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

http://www.exim.org/bugzilla/show_bug.cgi?id=512





------- Comment #3 from exim-dev@??? 2007-06-14 20:43 -------
(In reply to comment #2)
> I'm trying to work out why this is necessary. Can't you just set
> hosts_require_tls to the same list as hosts_require_auth? Secondly, I don't
> think you need a new variable. Won't tls_cipher do? What am I missing here?


tls_cipher is the cipher used when the message was received and isn't (AFAICT)
set to the outbound cipher; the only current handling of the outbound cipher is
that the +tls_cipher log selector will get the connection's cipher. I doubt
that it'd be a good plan to change which security context the variable refers
to just because it's being used in an smtp transport. Hence the new variable.

I've just set up Exim on my laptop; I'll use multiple smarthosts, depending
upon where I am. I don't mind if a smarthost offers GSSAPI or DIGEST-MD5 (or
even CRAM-MD5) authentication in cleartext. I do mind if it suddenly offers
plaintext authentication in cleartext. Just as you can use
server_advertise_condition to confirm ${if def:tls_cipher} before offering
plaintext, the reciprocal client security should be able to set, by policy,
that plaintext will only be tried in the smtp transport if protected by the
cipher. No matter where the host is. Policy encoding, rather than current
host list encoding.

PS: Exim works great on MacOS 10.4.9 x86. I probably did need the fink
packages though, so I don't know how it would be on a "bare" system. :^)

--
Configure bugmail: http://www.exim.org/bugzilla/userprefs.cgi?tab=email