Re: default MTA

To: debian-devel@lists.debian.org
Subject: Re: default MTA
From: Marc Haber <mh+debian-devel@zugschlus.de>
Date: Sun, 02 Jun 2013 23:10:02 +0200
Message-id: <[🔎] E1UjFXO-0005bM-UC@swivel.zugschlus.de>
In-reply-to: <[🔎] 201306011506.44560.Chris.Knadle@coredump.us>
References: <20130528010222.GA14069@bongo.bofh.it> <201305301951.08455.Chris.Knadle@coredump.us> <E1UiNJ2-0001Ec-F4@swivel.zugschlus.de> <[🔎] 201306011506.44560.Chris.Knadle@coredump.us>

On Sat, 1 Jun 2013 15:06:40 -0400, Chris Knadle
<Chris.Knadle@coredump.us> wrote:
>I can understand why one would want this, but I can also understand why it 
>hasn't been done.  Without first setting up TLS, this would involve passing a 
>username/password over the 'net in the clear, which is something I try hard to 
>never ever have happen.  This is especially something you don't want to do if 
>it's your own personal email login, which is a likely use case for this 
>proposed debconf code.  :-/

Exim's default in the packages is not to send authentication data over
a non-encrypted connection. The debconf code could try to check
whether the smarthost allowes TLS, and if not, query the user whether
it is ok to send the password over a non-encrypted connection.

>   In this example, the FQDN of the local machine is orac.example.com
>   and the smarthost machine is smtp.example.com
>
>   Create new file /etc/exim4/exim4.conf.localmacros containing:
>
>       MAIN_TLS_ENABLE = true
>       primary_hostname = orac.example.com

I don't think you need MAIN_TLS_ENABLE to to TLS as a client.

>   Modify /etc/exim4/exim4.conf.template for the remote_smtp_smarthost
>   to change the sending port to 587.  (In the U.S. there are a lot of
>   ISPs that block outbound port 25 except for the ISP's mail servers):
>
>       ...
>       remote_smtp_smarthost:
>          debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
>          driver = smtp
>            port = 587    # <--- add this line
>          ...

You can set sc_smarthost to hostname::587 without having to change the
transport, see update-exim4.conf(8) or the debconf template for
dc_smarthost.

>   Modify /etc/exim4/passwd.client to add a smarthost:username:password
>   triplet for sending email:
>
>       smtp.example.com:Orac:SillyPassword

That's what I'd want to be debconfed

>   On the mail server machine (i.e. smtp.example.com), make an MD5
>   passowrd hash of the password used on the client machine via command:
>
>       #mkpasswd -H md5 SillyPassword
>       $1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1
>
>   Then modify /etc/exim4/passwd on the server to add a
>   username:hashed_passwd:passwd triplet for the client:
>
>       Orac:$1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1:SillyPassword

You also can a more modern hash if the server is Debian exim as well.

>As I mentioned previously, the reason I go through making a new 
>username/password pair for each client is so that I don't risk a personal 
>email account, and so that I can revoke any one machine's email login at the 
>server in case of a client compromise of some kind.

Wise.

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Reply to:

Follow-Ups:
- Re: default MTA
  - From: Chris Knadle <Chris.Knadle@coredump.us>

References:
- Re: default MTA
  - From: Chris Knadle <Chris.Knadle@coredump.us>

Prev by Date: Re: Debian systemd survey
Next by Date: Re: default MTA
Previous by thread: Re: default MTA
Next by thread: Re: default MTA
Index(es):
- Date
- Thread