Re: exim and relaying -- for ONE user
Derrick 'dman' Hudson wrote:
> On Thu, Jan 30, 2003 at 10:59:46AM +0100, Hendrik Sattler wrote:
> | Derrick 'dman' Hudson wrote:
> |
> | > Note, however, that AUTH PLAIN isn't very secure. You should only
> | > allow it if the client has first initiated a TLS connection. That
> | > requires first setting up TLS. I don't know if exim 3 can restrict it
> | > to a TLS session only, or how to do it. Either read the docs or
> | > upgrade to exim 4 (I know how to check that in exim4).
> |
> | Exim3 can restrict it like exim4.
>
> That's good. What's the conf setting to achieve that?
http://www.exim.org/exim-html-3.30/doc/html/spec_11.html#IDX636
So shortly:
auth_over_tls_hosts = *
ACL handling in exim4 might be better but above works:
$ telnet abc 26
Trying 129.13.114.79...
Connected to abc.
Escape character is '^]'.
220 abc ESMTP Exim 3.35 #1 Thu, 30 Jan 2003 20:19:43 +0100
ehlo test
250-abc Hello xyz [xxx.xxx.xxx.xxx]
250-SIZE
250-PIPELINING
250-STARTTLS
250 HELP
AUTH
503 STARTTLS required before AUTH
> | You forgot the LOGIN method that is needed by some clients.
>
> I did leave it out. The configuration side is basically the same as
> for PLAIN. Some docs I read said LOGIN was never actually
> standardized, so I thought it was a good idea not to use it. IIRC old
> netscape and old lookout only handle LOGIN, and one (or both) of those
> won't recognize it unless the server incorrectly advertises it.
Well, putting it into the config doesn't hurt, either.
> | CRAM-MD5 should not be needed as TLS should really be secure enough,
> | isn't it? ;)
>
> Depends on whether you want to use TLS or not.
Well, TLS/SSL is way more common that CRAM-MD5. Additionally, CRAM-MD5 does
not work with PAM.
HS
Reply to: