Bug#1037127: exim4-config: Example Dovecot authenticator for Exim allows plaintext non TLS AUTH by default
Dominic Preston
lzqhwo at gmail.com
Mon Jun 5 15:08:22 BST 2023
Package: exim4-config
Version: 4.94.2-7
Severity: normal
X-Debbugs-Cc: lzqhwo at gmail.com
In Debian unstable exim4.conf.template, the example authenticator for
Dovecot, dovecot_plain_server, does not enforce TLS security for plaintext
authentication by default.
The Exim config should be changed to only advertise AUTH if the connection
is encrypted, in line with the other plain text authenticators, by adding
the final three lines below:
# dovecot_plain_server:
# driver = dovecot
# public_name = PLAIN
# server_socket = /var/spool/exim4/dovecot.auth-client
# server_set_id = $auth1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
More information about the Pkg-exim4-maintainers
mailing list