Re: exim4 authentication in etch? - SUCCESS!

To: debian-user@lists.debian.org
Subject: Re: exim4 authentication in etch? - SUCCESS!
From: "Thomas H. George" <lists@tomgeorge.info>
Date: Tue, 07 Oct 2008 10:22:18 -0400
Message-id: <[🔎] 48EB709A.4080309@tomgeorge.info>
In-reply-to: <[🔎] 0eorr5xck1.ln2@news.roaima.co.uk>
References: <bk7ni-X6-7@gated-at.bofh.it> <bk7ni-X6-9@gated-at.bofh.it> <bk7ni-X6-11@gated-at.bofh.it> <bk7ni-X6-13@gated-at.bofh.it> <bk7ni-X6-15@gated-at.bofh.it> <bk7ni-X6-17@gated-at.bofh.it> <bk7nj-X6-19@gated-at.bofh.it> <bk7nj-X6-21@gated-at.bofh.it> <bk7ni-X6-5@gated-at.bofh.it> <bkaXX-5m3-3@gated-at.bofh.it> <[🔎] 0eorr5xck1.ln2@news.roaima.co.uk>

Chris Davies wrote:

Thomas H. George <lists@tomgeorge.info> wrote:

|MAIN_TLS_ENABLE = true|
|AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS=yes|


Chris Davies <chris-usenet@roaima.co.uk>:

What you've done there is to enable TLS (encryption), but then
immediately say that you're happy not to use encryption to protect
your username/password combination.


s. keeling <keeling@nucleus.com> wrote:

So, the answer is to avoid providers who require this?  Or is there
any alternative action he could employ?


Fair question. Re-reading the exim4 configuration code again, I can see
that MAIN_TLS_ENABLE is required. (Without it, it seems that none of
the certificate configuration settings is included.) I forgot to mention
this in my original suggestion because I've had it enabled for so long

I'm still puzzled why the OP needs the AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
setting, which I also have mis-represented above. For correction, it
allows inbound client connections to one's own server to use passwords
without TLS encryption.

This discussion makes me wonder about the iceape use of theusername/password combination. For iceape it is simple and easy toenter the information yet for me the exim4 setup required a lot ofresearch which suggests possible security issues. First, is there asecurity issue? I am only providing the username/password without TLSwhen specifically addressing the verizon server and asking access to theinternet to send a message. To collect messages from my ISP I do notneed to do this. For example, the fetchmail setup required the ISPusername and password and then retrieved messages before I everconfigured exim4. In fact, I only tried to configure and use exim4because I rather liked using fetchmail and mutt to read postings to thedebian-user list. As long as I am just reading the postings nothingmore needs to be done. It is only when I wish to reply to the list frommutt that exim4 is required. If, instead, I abandon fetchmail and muttand use iceape to read and reply to postings I never need exim4 at all.


Should I worry about this?

Tom

Reply to:

Follow-Ups:
- Re: exim4 authentication in etch? - SUCCESS!
  - From: Andrei Popescu <andreimpopescu@gmail.com>

References:
- Re: exim4 authentication in etch? - SUCCESS!
  - From: Chris Davies <chris-usenet@roaima.co.uk>

Prev by Date: kernel 2.6.27
Next by Date: Re: ping MAC address
Previous by thread: Re: exim4 authentication in etch? - SUCCESS!
Next by thread: Re: exim4 authentication in etch? - SUCCESS!
Index(es):
- Date
- Thread