On Mon, 5 Jul 2010, Jakob Hirsch wrote:
>
>>>> acl_check_auth:
>>>> accept encrypted = *
>>>> deny message = TLS encryption required
>>> I would strongly recommend against this. This does not stop Exim from
>>> announcing that AUTH PLAIN is supported, so clients would send AUTH
>>> PLAIN together with their login information, e.g. "AUTH PLAIN
>>> AGZvbwBiYXI=", so it's too late to reject it.
>> It works great for me.
>>
>> My exim install doesn't offer AUTH PLAIN until STARTTLS
>> has kicked in.
>>
>> This may be because I also have the near the
>> beginning of my config:
>>
>> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
>
> You guessed right. :)
> If Exim does not announce AUTH, it won't accept AUTH commands.
>
>> So, do you still disrecommend this config, which
>> doesn't offer AUTH until TLS is started? If yes,
>> can you tell me why?
>
> It does not hurt, but it's also useless (and therefore give a wrong
> feeling of security).
> Or do you have any "TLS encryption required" message in your log?
>
Sorry, I'm a bit confused.
The setup I have doesn't offer AUTH unless TLS
is started. This is so that if I am remote and
I need to send mail, my password isn't trivially
sniffed.
Where is the false sense of security?
--
--------------------------------------------------------
Dave Lugo dlugo@??? No spam, thanks.
Are you the police? . . . No ma'am, we're sysadmins.
--------------------------------------------------------
