Re: [exim] Exim TLS - problem

Top Page
Delete this message
Reply to this message
Author: Dave Lugo
Date:  
To: exim-users
Subject: Re: [exim] Exim TLS - problem
On Mon, 5 Jul 2010, Jakob Hirsch wrote:
>
>>>> acl_check_auth:
>>>>    accept  encrypted = *
>>>>    deny    message   = TLS encryption required
>>> I would strongly recommend against this. This does not stop Exim from
>>> announcing that AUTH PLAIN is supported, so clients would send AUTH
>>> PLAIN together with their login information, e.g. "AUTH PLAIN
>>> AGZvbwBiYXI=", so it's too late to reject it.
>> It works great for me.

>>
>> My exim install doesn't offer AUTH PLAIN until STARTTLS
>> has kicked in.
>>
>> This may be because I also have the near the
>> beginning of my config:
>>
>> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
>
> You guessed right. :)
> If Exim does not announce AUTH, it won't accept AUTH commands.
>
>> So, do you still disrecommend this config, which
>> doesn't offer AUTH until TLS is started? If yes,
>> can you tell me why?
>
> It does not hurt, but it's also useless (and therefore give a wrong
> feeling of security).
> Or do you have any "TLS encryption required" message in your log?
>


Sorry, I'm a bit confused.

The setup I have doesn't offer AUTH unless TLS
is started. This is so that if I am remote and
I need to send mail, my password isn't trivially
sniffed.

Where is the false sense of security?

-- 
--------------------------------------------------------
  Dave Lugo     dlugo@???      No spam, thanks.
  Are you the police?  . . .  No ma'am, we're sysadmins.
--------------------------------------------------------