Bug#283573: exim4: Server-side AUTH: require TLS
Marc Haber
Marc Haber <mh+debian-packages@zugschlus.de>, 283573@bugs.debian.org
Tue, 30 Nov 2004 10:41:48 +0100
On Tue, Nov 30, 2004 at 10:11:46AM +0100, Olaf van der Spek wrote:
> Marc Haber wrote:
> >On Sun, Nov 28, 2004 at 11:28:29AM +0100, Olaf van der Spek wrote:
> >
> >>># Because AUTH LOGIN sends the password in clear, per default we only
> >>>allow it
> >>># over encrypted connections. If you want to change this disable the
> >>>existing
> >>
> >>Could you do the same for the server-side entries?
> >
> >
> >Configuring the server-side entries is not so easy since you need a
> >certificate for that.
>
> True, but TLS is quite easy to setup.
Please provide a patch to be included post-sarge. TLS should be
useable out-of-the box after installint the package, so the patch
would have to ask for certificate data during installation and
generate the certificate in postinst.
> And shouldn't the goal be to not use plaintext passwords anywhere?
Yes, but the big commercial CAs have successfully stopped TLS from
being widely accepted by making it to damn expensive.
> >One server-side TLS is configured, just configure
>
> Hmm, I completely missed these two lines in plain_saslauthd:
> # # don't send system passwords over unencrypted connections
> # server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
> >auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
> >to have AUTH only advertised and accepted on encrypted connections.
>
> Why is it only enabled for plain_saslauthd? That requires TLS too, right?
I don't know. Please note the difference between
server_advertise_condition and auth_advertise_hosts.
auth_advertise_hosts need to be in main configuration.
> And why does that use server_advertise_condition instead of
> auth_advertise_hosts?
Because that seems to be something entirely different.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835