Re: exim4 authentication in etch? - SUCCESS!
Chris Davies wrote:
This discussion makes me wonder about the iceape use of the
username/password combination. For iceape it is simple and easy to
enter the information yet for me the exim4 setup required a lot of
research which suggests possible security issues. First, is there a
security issue? I am only providing the username/password without TLS
when specifically addressing the verizon server and asking access to the
internet to send a message. To collect messages from my ISP I do not
need to do this. For example, the fetchmail setup required the ISP
username and password and then retrieved messages before I ever
configured exim4. In fact, I only tried to configure and use exim4
because I rather liked using fetchmail and mutt to read postings to the
debian-user list. As long as I am just reading the postings nothing
more needs to be done. It is only when I wish to reply to the list from
mutt that exim4 is required. If, instead, I abandon fetchmail and mutt
and use iceape to read and reply to postings I never need exim4 at all.
Thomas H. George <email@example.com> wrote:
|MAIN_TLS_ENABLE = true|
Chris Davies <firstname.lastname@example.org>:
What you've done there is to enable TLS (encryption), but then
immediately say that you're happy not to use encryption to protect
your username/password combination.
s. keeling <email@example.com> wrote:
So, the answer is to avoid providers who require this? Or is there
any alternative action he could employ?
Fair question. Re-reading the exim4 configuration code again, I can see
that MAIN_TLS_ENABLE is required. (Without it, it seems that none of
the certificate configuration settings is included.) I forgot to mention
this in my original suggestion because I've had it enabled for so long
I'm still puzzled why the OP needs the AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
setting, which I also have mis-represented above. For correction, it
allows inbound client connections to one's own server to use passwords
without TLS encryption.
Should I worry about this?