Re: [exim] Security in Exim

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Heiko Schlittermann
Datum:  
To: exim-users
Betreff: Re: [exim] Security in Exim
Hi,

Ajit Mhatre <ajitmhatre.9@???> (Mi 06 Mai 2015 12:07:01 CEST):
> i am having a problem in *exim4* ,that is* /etc/exim4/password.client*
> file contain *email id* and *password* . The both email id and password in
> Plain text format. so anyone can acess the password.client file can get my
> password.


Sounds like a Debian based installation.

This file is used when Exim acts as a SMTP Client, authenticating
with another SMTP Server. Exim needs to send the credentials to the
other side. So Exim needs to read the credentials. Some kind of hash
wouln't help here. Encrypting wouldn't help either, since Exim then
needs to know the key - stored in some configuration!?

Since Exim runs as Debian-Exim (or some other system user on other
systems) during SMTP delivery, it should be possible to chown this file
to Debian-Exim: and chmod u=r,go= this file. (I'd suppose, this file is
already 0600 Debian-exim:Debian-exim, isn't it?)

As the result, only processes running as Debian-Exim can access this
file.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -