Bug#403583: exim4: client TLS authentication is broken

[Marc Haber]

tags #403583 - moreinfo unreproducible
tags #403583 confirmed
thanks

On Fri, Jan 05, 2007 at 10:10:36AM +0100, Marc Haber wrote:
> On Fri, Jan 05, 2007 at 01:19:39AM -0500, celejar wrote:
> > On 1/3/07, Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> > >* is a catchall, I have verified this in a test setup with a smarthost
> > >that had its reverse DNS deliberatelybroken.
> > >
> > >You only need to put the IP address in passwd.client if you have
> > >specified a host name with broken reverse DNS there as the hostname
> > >will only be compared to the reverse DNS.
> > 
> > Perhaps I'm missing something, but as I mentioned in my original
> > report, my passwd.client does have an '*' line and exim still often
> > fails to authenticate.
> 
> That is not supposed to happen. The "*" line should work.

After debugging in private, we found out that google's smarthost
address changes so fast that the transport gets different IP addresses
when finding out the host to connect to and when resolving the name
again to find out whether to authenticate, and determines that it does
not need to authenticate.

Changing the hosts_try_auth clause of the remote_smtp_smarthost
transport to

  hosts_try_auth = ${if exists{CONFDIR/passwd.client} \
        { ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}} }\
        {} \
      }

seems to have solved the issue for the original poster and in my test
lab.

Thanks to Heiko Schlittermand for his help in figuring this out.

I'd like people to test this whether it introduces any regression
before I commit to svn and upload.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835