Chris Davies wrote:
This discussion makes me wonder about the iceape use of the username/password combination. For iceape it is simple and easy to enter the information yet for me the exim4 setup required a lot of research which suggests possible security issues. First, is there a security issue? I am only providing the username/password without TLS when specifically addressing the verizon server and asking access to the internet to send a message. To collect messages from my ISP I do not need to do this. For example, the fetchmail setup required the ISP username and password and then retrieved messages before I ever configured exim4. In fact, I only tried to configure and use exim4 because I rather liked using fetchmail and mutt to read postings to the debian-user list. As long as I am just reading the postings nothing more needs to be done. It is only when I wish to reply to the list from mutt that exim4 is required. If, instead, I abandon fetchmail and mutt and use iceape to read and reply to postings I never need exim4 at all.Thomas H. George <lists@tomgeorge.info> wrote:|MAIN_TLS_ENABLE = true| |AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS=yes|Chris Davies <chris-usenet@roaima.co.uk>:What you've done there is to enable TLS (encryption), but then immediately say that you're happy not to use encryption to protect your username/password combination.s. keeling <keeling@nucleus.com> wrote:So, the answer is to avoid providers who require this? Or is there any alternative action he could employ?Fair question. Re-reading the exim4 configuration code again, I can see that MAIN_TLS_ENABLE is required. (Without it, it seems that none of the certificate configuration settings is included.) I forgot to mention this in my original suggestion because I've had it enabled for so long I'm still puzzled why the OP needs the AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS setting, which I also have mis-represented above. For correction, it allows inbound client connections to one's own server to use passwords without TLS encryption.
Should I worry about this? Tom