Bug#283573: exim4: Server-side AUTH: require TLS
Olaf van der Spek
Olaf van der Spek <OvdSpek@LIACS.NL>, 283573@bugs.debian.org
Tue, 30 Nov 2004 10:11:46 +0100
Marc Haber wrote:
> On Sun, Nov 28, 2004 at 11:28:29AM +0100, Olaf van der Spek wrote:
>
>>># Because AUTH LOGIN sends the password in clear, per default we only allow it
>>># over encrypted connections. If you want to change this disable the existing
>>
>>Could you do the same for the server-side entries?
>
>
> Configuring the server-side entries is not so easy since you need a
> certificate for that.
True, but TLS is quite easy to setup.
And shouldn't the goal be to not use plaintext passwords anywhere?
> One server-side TLS is configured, just configure
Hmm, I completely missed these two lines in plain_saslauthd:
# # don't send system passwords over unencrypted connections
# server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
> to have AUTH only advertised and accepted on encrypted connections.
Why is it only enabled for plain_saslauthd? That requires TLS too, right?
And why does that use server_advertise_condition instead of
auth_advertise_hosts?
>
> Greetings
> Marc
>
--
Olaf van der Spek
http://xccu.sf.net/