Bug#403583: exim4: client TLS authentication is broken

Marc Haber mh+debian-packages at zugschlus.de
Wed Jan 3 19:02:49 CET 2007 

On Sun, Dec 24, 2006 at 09:17:49AM -0500, Celejar wrote:
> Thanks very much for clearing this up. The documentation [exim4-config_files(5)] currently reads:
> 
> > server with the canonical host name target.mail.server.example. Many
> > ISPs provide only an alias name of their SMTP smarthost. You need to
> > check the canonical name by yourself manu- ally by querying the DNS,
> > for example by using the host command.  If the SMTP smarthost alias
> > expands to multiple IPs, you probably need to have multiple lines or a
> > wild card in the target.mail.server.example field, and when your ISP
> > changes the alias, you will need to manually fix that. This is
> > currently not possibly any better, see #244724. A host name value of *
> > will divulge the password to any SMTP server asking for it. This is
> > generally fine if you only have one SMTP server configured.
> 
> This clearly states that a line beginning with '*' is a catchall; this
> needs to be modified to warn about the foregoing exception, that exim
> won't authenticate if reverse dns fails unless the smarthost's IP
> address(es) is (are) explicitly given in passwd.client.

* is a catchall, I have verified this in a test setup with a smarthost
that had its reverse DNS deliberatelybroken.

You only need to put the IP address in passwd.client if you have
specified a host name with broken reverse DNS there as the hostname
will only be compared to the reverse DNS.

The manpage in question now reads:
       Please note that target.mail.server.example is currently the value that
       exim can read from reverse DNS: It first follows the host name  of  the
       target  system  until  it  finds  and IP address, and then looks up the
       reverse DNS for that IP address to use the outcome of  this  query  (or
       the   IP   address   itself  should  the  query  fail)  as  index  into
       /etc/exim4/passwd.client.

       This goes inevitably wrong if the host name of the  mail  server  is  a
       CNAME  (a  DNS  alias),  or the reverse lookup does not fit the forward
       one.

       Currently, you need to manually lookup all reverse DNS names for all IP
       addresses  that  your  SMTP  server host name points to, for example by
       using the host command.  If the SMTP smarthost alias expands to  multi-
       ple  IPs, you need to have multiple lines for all the hosts.  When your
       ISP changes the alias, you will need to manually fix that.

       You may minimize this trouble by using a wild  card  entry  or  regular
       expressions,  thus  reducing  the risk of divulging the password to the
       wrong SMTP server while reducing the number of necessary lines.  For  a
       deeper discussion, see the Debian BTS #244724.

I hope this is more clear. If not, please suggest a different wording.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Pkg-exim4-maintainers mailing list