Auteur: Ted Cooper Date: À: exim-users Sujet: Re: [exim] Outlook, Exim and TLS.
Drew Calcott wrote: > Has anyone come across this before? I had a search through the archives / FAQ
> and was unable to see anything directly related.
It has some really weird behaviour and expects strange things at the
server greeting. I never got around to figuring out exactly what it was
doing, but I did find a way for it to talk to an exim box without having
a cow but still doing what I wanted.
Connecting on a TLS on connect port doesn't seem to work. Best guess -
Outlook expects that the connection will be plaintext and then once it
sends a command it will head into TLS mode (as far as I can tell). TLS
on connect doesn't work like this so ... eh. Pretty sure outlook is in
the wrong.
Only allowing authentication to encrypted connections doesn't work
either as Outlook will NEVER attempt to authenticate if it didn't see a
listing of valid AUTH types in the initial server greeting it got before
heading into STARTTLS. It doesn't matter that they are present in the
second EHLO - I didn't actually check if Outlook sends a second one anyway.
In outlook - setting "This server requires TLS" makes it fail. Never
looked into it but it might be something similar to TLS on connect stuff.
In the end I had the following settings in outlook and exim:
exim:
Advertise AUTH to everyone on the submission port (587), encrypted or
not and used ACLs to prevent unencrypted use of AUTH even though this
still allows people to send their credentials in plain text if something
is misconfigured.
Advertise tls on 587, kill the TLS on connect port.
Outlook:
turn off anything that requires encryption, and set everything to use
TLS if available.
plonk in the username and password into the "my server needs
authentication with these details" type box.
Overall, a bit of a fight. Even after all that, Outlook will
occasionally ignore the TLS entirely and just try to authenticate
without TLS. Closing down Outlook and restarting it seems to magically
fix this and it wont happen again for a week or two.
Good luck :) I just swap people over to Thunderbird if they have too
many problems.