Re: [exim] Authentication on port 587 and 25

Top Pagina
Delete this message
Reply to this message
Auteur: John Jetmore
Datum:  
Aan: Rick Boucher
CC: exim-users
Onderwerp: Re: [exim] Authentication on port 587 and 25
On Wed, Jun 23, 2010 at 5:53 PM, Rick Boucher <rboucher@???> wrote:
> Yes I do.  How might I write that command to allow an authenicator over port 587?
>
> On Jun 21, 2010, at 6:31 PM, John Jetmore wrote:
>
>> Do you have something like this in your authenticators?
>>
>>  server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
>>
>> That causes exim to only advertise the authenticator over a connection
>> on which TLS has been negotiated.


How are you testing? It seems possible that you're having client
problems which you're interpreting as server problems.

So:

- you are running exim on ports 25, 465, and 587.
- you are running tls-on-connect on 465
- you are only advertising authentication over tls-encrypted links

To me this suggests that whatever method you are using to test
authentication over 25 and 587 isn't attempting to negotiate TLS
first.

One way you could test/solve this would be to remove
"server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}" from
your authenticator. Be aware, however, that some authentication
types, if performed over plaintext and snooped, can reveal your
password. That's the reason PLAIN and LOGIN are often only allowed
over TLS-encrypted sessions. So you could turn off the requirement,
but you'd be less secure.

I think the best next step would be to ensure that the client you're
using for testing is actually attempting to negotiate TLS before it
tries to authenticate. That's what tools like swaks and smtpc were
written for, you might have a look at them.

--John