Ok, thanks for that tip.
Now a Test connection looks like:
telnet myserver.de 25
Trying 1.1.1.1...
Connected to unix-solution.de.
Escape character is '^]'.
220 mail.myserver.de ESMTP Exim 4.80 Wed, 22 Jan 2014 14:39:54 +0100
ehlo localhost
250-mail.myserver.de Hello p578a6f5e.dip0.t-ipconnect.de [1.1.1.2]
250-SIZE 209715200
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
quit
221 mail.myserver.de closing connection
Connection closed by foreign host.
did this mean that fist of all the connection is encrypt by starttls?
next I have try md5-cram and get the following error:
(received and digest are anonymised)
23042 Process 23042 is ready for new message
23042 CRAM-MD5: user name = test
23042 challenge = <23042.1390398389@???>
23042 received = eeedc11e000024153d7511183d27acba0caffe11
23042 digest = 55ac3f21b6sdf4570c92e7266e1fge1b94fg7093
23042 LOG: MAIN REJECT
23042 fixed_cram authenticator failed for
p578a6f5e.dip0.t-ipconnect.de ([1.1.1.2]) [1.2.1.1] 535 Incorrect
authentication data (set_id=test)
no one of received or digest are stored in database.
the password in the db is saved as md5 hash with a salt.
Regards,
Basti
On 22.01.2014 13:52, Wolfgang Breyha wrote:
> On 21/01/14 12:37, basti wrote:
>> I have installed Exim4 on my Debian Wheezy. All is running fine.
>> Now I try to use "fixed_cram" authenticator for more security.
>> [...]
>> 250-AUTH LOGIN
>> 250-STARTTLS
>
> Not announcing plaintext AUTH mechs on unencrypted connections would make
> your setup much more secure then adding CRAM-MD5;-)
>
> You can do that by adding
> server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
> to your LOGIN/PLAIN authenticators.
>
> Start exim with -d-all+auth for debugging. See
>> http://exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html
> for more debugging switches.
>
> Greetings, Wolfgang
>