On Sat, 2009-10-10 at 10:47 +0800, W B Hacker wrote:
> Ted Cooper wrote:
> > I've found I can't use this method with Outlook clients - if I don't
> > advertise all the time, Outlook will never attempt to authenticate even
> > after it has started an encrypted session.
>
> I've not seen that.
Google "outlook bug STARTTLS 587"
<quote>
Note Outlook will only do STARTTLS on port 25, not 587. Since many
providers now block use of the that port, people who use Outlook and
need to use encryption and authenticated SMTP should use SSL and port
465 as an Advanced Setting
</quote>
Which kinda holds true - as I said, if you advertise LOGIN before
STARTTLS, outlook will do STARTTLS on port 587. One buggy big expensive
program.
> > My end solution was to allow
> > users to authenticate without encryption but reject all authenticated,
> > non-encrypted attempts in acl_smtp_mail.
> >
>
> Bass-ackwards, IMNSHO.
>
> First you encourage en-claire exposure of the UID:PWD ,,, then (little else
> matters...)
I don't encourage it, hence rejecting all mail from clients that have
provided their details in the clear. It was just the only way I could
get Outlook and all the other mail clients to work properly. The only
attempts I've had of credentials in the clear have been brute force
attempts by bots.
--
The Exim manual -
http://docs.exim.org
