Re: default MTA
On Sat, 1 Jun 2013 15:06:40 -0400, Chris Knadle
<Chris.Knadle@coredump.us> wrote:
>I can understand why one would want this, but I can also understand why it
>hasn't been done. Without first setting up TLS, this would involve passing a
>username/password over the 'net in the clear, which is something I try hard to
>never ever have happen. This is especially something you don't want to do if
>it's your own personal email login, which is a likely use case for this
>proposed debconf code. :-/
Exim's default in the packages is not to send authentication data over
a non-encrypted connection. The debconf code could try to check
whether the smarthost allowes TLS, and if not, query the user whether
it is ok to send the password over a non-encrypted connection.
> In this example, the FQDN of the local machine is orac.example.com
> and the smarthost machine is smtp.example.com
>
> Create new file /etc/exim4/exim4.conf.localmacros containing:
>
> MAIN_TLS_ENABLE = true
> primary_hostname = orac.example.com
I don't think you need MAIN_TLS_ENABLE to to TLS as a client.
> Modify /etc/exim4/exim4.conf.template for the remote_smtp_smarthost
> to change the sending port to 587. (In the U.S. there are a lot of
> ISPs that block outbound port 25 except for the ISP's mail servers):
>
> ...
> remote_smtp_smarthost:
> debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
> driver = smtp
> port = 587 # <--- add this line
> ...
You can set sc_smarthost to hostname::587 without having to change the
transport, see update-exim4.conf(8) or the debconf template for
dc_smarthost.
> Modify /etc/exim4/passwd.client to add a smarthost:username:password
> triplet for sending email:
>
> smtp.example.com:Orac:SillyPassword
That's what I'd want to be debconfed
> On the mail server machine (i.e. smtp.example.com), make an MD5
> passowrd hash of the password used on the client machine via command:
>
> #mkpasswd -H md5 SillyPassword
> $1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1
>
> Then modify /etc/exim4/passwd on the server to add a
> username:hashed_passwd:passwd triplet for the client:
>
> Orac:$1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1:SillyPassword
You also can a more modern hash if the server is Debian exim as well.
>As I mentioned previously, the reason I go through making a new
>username/password pair for each client is so that I don't risk a personal
>email account, and so that I can revoke any one machine's email login at the
>server in case of a client compromise of some kind.
Wise.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
Reply to: