Bug#403583: exim4: client TLS authentication is broken

Celejar celejar at gmail.com
Sun Dec 24 14:17:49 UTC 2006 

On Sun, 24 Dec 2006 12:14:59 +0100
Marc Haber <mh+debian-packages at zugschlus.de> wrote:

> On Sat, Dec 23, 2006 at 11:41:05PM -0500, Celejar wrote:
> > gmail-smtp.l.google.com [64.233.185.109]:587 status = usable
> > 64.233.185.109 in serialize_hosts? no (option unset)
> > delivering 1GyKob-0000n7-56 to gmail-smtp.l.google.com [64.233.185.109] (xxxxxxxx at gmail.com)
> > set_process_info:  3052 delivering 1GyKob-0000n7-56 to gmail-smtp.l.google.com [64.233.185.109] (xxxxxxxx at gmail.com)
> > Connecting to gmail-smtp.l.google.com [64.233.185.109]:587 ... connected
> 
> We are connected to gmail-smtp.l.google.com, 64.233.185.109.
> 
> > 64.233.185.109 in hosts_require_auth? no (option unset)
> > gethostbyname2(af=inet6) returned 3 (NO_RECOVERY)
> > gethostbyname2 looked up these IP addresses:
> >   name=gmail-smtp.l.google.com address=72.14.247.109
> > 64.233.185.109 in hosts_try_auth? no (end of list)
> 
> 64.233.185.109 has no reverse DNS, Goof on Google's side. exim thus
> looks up the IP address in the passwd.client file, and since it does
> not find an entry, it does not try to authenticate.
> 
> This is a new variant of the #244724 issue mentioned in
> exim4-config_files(5).
> 
> You need to have the IP addresses of the google smtp servers in your
> passwd.client as well.
> 
> Greetings
> Marc

Thanks very much for clearing this up. The documentation [exim4-config_files(5)] currently reads:

> server with the canonical host name target.mail.server.example. Many ISPs provide only  an
>        alias name of their SMTP smarthost. You need to check the canonical name by yourself manu-
>        ally by querying the DNS, for example by using the host command.  If  the  SMTP  smarthost
>        alias  expands to multiple IPs, you probably need to have multiple lines or a wild card in
>        the target.mail.server.example field, and when your ISP changes the alias, you  will  need
>        to  manually fix that. This is currently not possibly any better, see #244724. A host name
>        value of * will divulge the password to any SMTP server asking for it. This  is  generally
>        fine if you only have one SMTP server configured.

This clearly states that a line beginning with '*' is a catchall; this needs to be modified to warn about the foregoing exception, that exim won't authenticate if reverse dns fails unless the smarthost's IP address(es) is (are) explicitly given in passwd.client.

Celejar

More information about the Pkg-exim4-maintainers mailing list