Bug#283573: exim4: Server-side AUTH: require TLS
Andreas Metzler
Andreas Metzler <ametzler@downhill.at.eu.org>, 283573@bugs.debian.org
Tue, 30 Nov 2004 18:02:12 +0100
On 2004-11-30 Olaf van der Spek <OvdSpek@LIACS.NL> wrote:
> Marc Haber wrote:
> >On Sun, Nov 28, 2004 at 11:28:29AM +0100, Olaf van der Spek wrote:
[...]
>> Configuring the server-side entries is not so easy since you need a
>> certificate for that.
> True, but TLS is quite easy to setup.
If you are not going for a self-signed certificate it is not, and
afaik for a SMTP server self-signed is not good enough as there are
picky clients.
[...]
> Hmm, I completely missed these two lines in plain_saslauthd:
> # # don't send system passwords over unencrypted connections
> # server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
>> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
>> to have AUTH only advertised and accepted on encrypted connections.
> Why is it only enabled for plain_saslauthd?
Because the plain_saslauthd-examples (might) uses the regular system
passwords, which are usually a lot more valuable than SMTP-only
passwords.
> That requires TLS too, right?
> And why does that use server_advertise_condition instead of
> auth_advertise_hosts?
Because it is better suited for the prupose (do not advertise a
specific AUTH method without TLS).
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"