Author: W B Hacker Date: To: exim-users Subject: Re: [exim] mysql authentication problem...
Ted Cooper wrote: > On Fri, 2009-10-09 at 20:00 +0100, Mike Cardwell wrote:
>> John Doe wrote:
>>> I have another question: how can I allow only encrypted/authenticated connections?
>> By specifying this in your authenticator you're saying "Only advertise
>> authentication as an available option if the connection is already
>> encrypted" :
>>
>> server_advertise_condition = ${if def:tls_cipher }
>>
>> If the client tries to use a feature that hasn't been advertised,
>> they'll get an error. So as it stands, you shouldn't be able to
>> authenticate unless the connection is encrypted... Is that not what
>> you're seeing?
>
> I've found I can't use this method with Outlook clients - if I don't
> advertise all the time, Outlook will never attempt to authenticate even
> after it has started an encrypted session.
I've not seen that.
Are you sure you have Outlook firmly told to use port 587
AND firmly told to use TLS?
AND firmly told to use the name and password?
If you are pointing it at port 25, it may think it has been promoted to MTA and
granted a free lunch.
> My end solution was to allow
> users to authenticate without encryption but reject all authenticated,
> non-encrypted attempts in acl_smtp_mail.
>
Bass-ackwards, IMNSHO.
First you encourage en-claire exposure of the UID:PWD ,,, then (little else
matters...)
