Bug#283573: exim4: Server-side AUTH: require TLS

[Olaf van der Spek]

Marc Haber wrote:
> On Tue, Nov 30, 2004 at 10:11:46AM +0100, Olaf van der Spek wrote:
> 
>>Marc Haber wrote:
>>
>>>On Sun, Nov 28, 2004 at 11:28:29AM +0100, Olaf van der Spek wrote:
>>>
>>>
>>>>># Because AUTH LOGIN sends the password in clear, per default we only 
>>>>>allow it
>>>>># over encrypted connections. If you want to change this disable the 
>>>>>existing
>>>>
>>>>Could you do the same for the server-side entries?
>>>
>>>
>>>Configuring the server-side entries is not so easy since you need a
>>>certificate for that.
>>
>>True, but TLS is quite easy to setup.
> 
> 
> Please provide a patch to be included post-sarge. TLS should be
> useable out-of-the box after installint the package, so the patch
> would have to ask for certificate data during installation and
> generate the certificate in postinst.

I'll try.

>>And shouldn't the goal be to not use plaintext passwords anywhere?
> 
> 
> Yes, but the big commercial CAs have successfully stopped TLS from
> being widely accepted by making it to damn expensive.

I agree, but self-signed certificates are usable, right?

>>>One server-side TLS is configured, just configure
>>
>>Hmm, I completely missed these two lines in plain_saslauthd:
>>#   # don't send system passwords over unencrypted connections
>>#   server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
>>
>>>auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
>>>to have AUTH only advertised and accepted on encrypted connections.
>>
>>Why is it only enabled for plain_saslauthd? That requires TLS too, right?
> 
> 
> I don't know. Please note the difference between
> server_advertise_condition and auth_advertise_hosts.
> auth_advertise_hosts need to be in main configuration.

Ah, thanks.
> 
>>And why does that use server_advertise_condition instead of 
>>auth_advertise_hosts?
> 
> 
> Because that seems to be something entirely different.
> 
> Greetings
> Marc
> 


-- 
Olaf van der Spek
http://xccu.sf.net/