Bug#244724: exim4: passwd.client is better to use wildlsearch and
documentation updates
Osamu Aoki
osamu at debian.org
Fri Nov 3 15:19:55 CET 2006
Package: exim4
Version: 4.63-8
Followup-For: Bug #244724
My ISP put back AUTH for SMTP so I hit this bug again :-)
It took me a while to realize the confofuration needs to use canonical
name or just *. I think Debian provided configuration is better to use
wildsearch than plain lsearch to enable wildcard in the hostname field
here.
Also, since I can not call the current /etc/exim4/passwd.client
explanation as verbose and it may be overlooked if it was user modified,
I updated README.Debian to point to the manpage which is not so easy to
find for novice:
$ man -k passwd.client
exim4_passwd_client (5) - Files in use by the Debian exim4 packages
The conclusion is here as attached patch.
If this patch is not applied, the user who is seeking solution can
modify their /etc/exim4/* contents as these changes and should be fine
since these are conffiles.
-- Package-specific info:
Exim version 4.63 #1 built 23-Oct-2006 19:07:51
Versions of packages exim4 depends on:
ii debconf [debconf-2.0] 1.5.8 Debian configuration management sy
ii exim4-base 4.63-8 support files for all exim MTA (v4
ii exim4-daemon-light 4.63-8 lightweight exim MTA (v4) daemon
exim4 recommends no packages.
--
~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ +++++
Osamu Aoki <osamu at debian.org> Yokohama Japan, GPG-key: A8061F32
.''`. Debian Reference: post-installation user's guide for non-developers
: :' : http://qref.sf.net and http://people.debian.org/~osamu
`. `' "Our Priorities are Our Users and Free Software" --- Social Contract
-------------- next part --------------
diff -Nru exim4-4.63-orig/debian/debconf/conf.d/auth/30_exim4-config_examples exim4-4.63/debian/debconf/conf.d/auth/30_exim4-config_examples
--- exim4-4.63-orig/debian/debconf/conf.d/auth/30_exim4-config_examples 2006-11-03 21:18:55.000000000 +0900
+++ exim4-4.63/debian/debconf/conf.d/auth/30_exim4-config_examples 2006-11-03 21:43:26.000000000 +0900
@@ -48,7 +48,7 @@
# driver = plaintext
# public_name = LOGIN
# server_prompts = "Username:: : Password::"
-# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}wildlsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
# server_set_id = $auth1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
@@ -57,7 +57,7 @@
# cram_md5_server:
# driver = cram_md5
# public_name = CRAM-MD5
-# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
+# server_secret = ${extract{2}{:}{${lookup{$auth1}wildlsearch{CONFDIR/passwd}{$value}fail}}}
# server_set_id = $auth1
# Here is an example of CRAM-MD5 authentication against PostgreSQL:
@@ -214,8 +214,8 @@
cram_md5:
driver = cram_md5
public_name = CRAM-MD5
- client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
- client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
+ client_name = ${extract{1}{:}{${lookup{$host}wildlsearch*{CONFDIR/passwd.client}{$value}fail}}}
+ client_secret = ${extract{2}{:}{${lookup{$host}wildlsearch*{CONFDIR/passwd.client}{$value}fail}}}
plain:
driver = plaintext
@@ -223,12 +223,12 @@
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
client_send = "${if !eq{$tls_cipher}{}{\
^${extract{1}{::}\
- {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
+ {${lookup{$host}wildlsearch*{CONFDIR/passwd.client}{$value}fail}}}\
^${extract{2}{::}\
- {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
+ {${lookup{$host}wildlsearch*{CONFDIR/passwd.client}{$value}fail}}}\
}fail}"
.else
- client_send = "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
+ client_send = "^${extract{1}{::}{${lookup{$host}wildlsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}wildlsearch*{CONFDIR/passwd.client}{$value}fail}}}"
.endif
login:
@@ -240,26 +240,26 @@
client_send = "${if and{\
{!eq{$tls_cipher}{}}\
{!eq\
- {${lookup{$host}lsearch*{CONFDIR/passwd.client}\
+ {${lookup{$host}wildlsearch*{CONFDIR/passwd.client}\
{$value}fail}}\
{}}\
}\
{}fail}\
: ${extract{1}{::}\
- {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \
+ {${lookup{$host}wildlsearch*{CONFDIR/passwd.client}{$value}fail}}} \
: ${extract{2}{::}\
- {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
+ {${lookup{$host}wildlsearch*{CONFDIR/passwd.client}{$value}fail}}}"
.else
# Return empty string if looking up $host in passwd-file yields a
# non-empty string; fail otherwise.
client_send = "${if !eq\
{${lookup\
- {$host}lsearch*{CONFDIR/passwd.client}\
+ {$host}wildlsearch*{CONFDIR/passwd.client}\
{$value}fail}}\
{}\
{}fail}\
: ${extract{1}{::}\
- {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \
+ {${lookup{$host}wildlsearch*{CONFDIR/passwd.client}{$value}fail}}} \
: ${extract{2}{::}\
- {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
+ {${lookup{$host}wildlsearch*{CONFDIR/passwd.client}{$value}fail}}}"
.endif
diff -Nru exim4-4.63-orig/debian/manpages/exim4-config_files.5 exim4-4.63/debian/manpages/exim4-config_files.5
--- exim4-4.63-orig/debian/manpages/exim4-config_files.5 2006-11-03 21:18:55.000000000 +0900
+++ exim4-4.63/debian/manpages/exim4-config_files.5 2006-11-03 23:18:33.000000000 +0900
@@ -219,12 +219,24 @@
Many ISPs provide only an alias name of their SMTP smarthost. You need
to check the canonical name by yourself manually by querying the DNS,
for example by using the host command. If the SMTP smarthost alias
-expands to multiple IPs, you probably need to have multiple lines or a
-wild card in the target.mail.server.example field, and when your ISP
-changes the alias, you will need to manually fix that. This is
-currently not possibly any better, see #244724. A host name value of *
-will divulge the password to any SMTP server asking for it. This is
-generally fine if you only have one SMTP server configured.
+expands to multiple IPs, you need to have multiple lines for all
+the hosts. When your ISP changes the alias, you will need to manually
+fix that.
+
+You may minimize this trouble by using a wild card entry. For example,
+if the SMTP smarthost alias expands to multiple IPs with canonical
+names, e.g., x01.mail.server.example, y02.mail.server.example,
+and z03.mail.server.example, you place a wild card entry
+
+.br
+*.mail.server.example:login-user-name:password
+
+This matches any hostnames which end with .mail.server.example
+using the wildlearch mechanism described in spec.txt.gz.
+
+This minimizes the risk of divulging the password to the wrong SMTP server
+while reducing entry lines. This trick is generally fine if you only have
+one SMTP server configured. See Debian BTS #244724.
password is your SMTP password in clear text. If you do not know about
your SMTP password, you can try using your POP3 password as a first
diff -Nru exim4-4.63-orig/debian/README.Debian.xml exim4-4.63/debian/README.Debian.xml
--- exim4-4.63-orig/debian/README.Debian.xml 2006-11-03 21:18:55.000000000 +0900
+++ exim4-4.63/debian/README.Debian.xml 2006-11-03 22:37:58.000000000 +0900
@@ -1128,8 +1128,9 @@
If you want to set up exim as SMTP AUTH client for delivery
to your internet access provider's smarthost put the name of
the server, your login and password in
- <filename>/etc/exim4/passwd.client</filename>. That file also
- contains verbose information about the required format.
+ <filename>/etc/exim4/passwd.client</filename>.
+ See manpage exim4-config_files (5) for information about the
+ required format.
</para>
<para>
If you need to enable AUTH PLAIN or AUTH LOGIN for unencrypted
More information about the Pkg-exim4-maintainers
mailing list