Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Exim 4 and AUTH over TLS only
schueler at hrz
Jun 10, 2002, 1:03 AM
Post #1 of 5 (713 views)
Permalink
When trying to convert our outgoing servers to Exim 4, I noticed that
"auth_over_tls_hosts" is gone (handled by ACLs). Unfortunately AUTH is
now always advertised, even if it is only possible over TLS. This leads
to the well-known Netscape-problems: This time the clients which were
not configured to do either TLS or AUTH, nevertheless try to AUTH over
the unencrypted channel, and fail ("need TLS before AUTH"). With Exim 3
we had "auth_over_tls_hosts = *" and so AUTH was only seen when
connecting over TLS.

Is there a way to get this behaviour back in Exim 4?

(I tried advertising AUTH only to clients which really have to AUTH to
be allowed to relay, but this lead to other problems with roaming
notebooks (sometimes on our network, sometimes over other ISPs) and mail
clients which use fixed settings for TLS and AUTH, and which depend on
seeing AUTH, once configured to authenticate to the server.)
--
Harald Schueler

Universitaet Essen, Hochschulrechenzentrum,
Essen, Germany. Phone: +49 201 1832998
Re: Exim 4 and AUTH over TLS only [ In reply to ]
A.C.Aitchison at dpmms
Jun 10, 2002, 1:12 AM
Post #2 of 5 (702 views)
Permalink
On Mon, 10 Jun 2002, Harald Schueler wrote:

> When trying to convert our outgoing servers to Exim 4, I noticed that
> "auth_over_tls_hosts" is gone (handled by ACLs).

> (I tried advertising AUTH only to clients which really have to AUTH to
> be allowed to relay, but this lead to other problems with roaming
> notebooks (sometimes on our network, sometimes over other ISPs) and mail
> clients which use fixed settings for TLS and AUTH, and which depend on
> seeing AUTH, once configured to authenticate to the server.)

Do the notebooks have the same IP when on your network and with
another ISP ? I'd have thought that that was a good case for DHCP,
and then your servers would be able to tell which network the
notebook is on.

--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison@dpmms.cam.ac.uk http://www.dpmms.cam.ac.uk/~werdna
Re: Exim 4 and AUTH over TLS only [ In reply to ]
ph10 at cus
Jun 10, 2002, 2:05 AM
Post #3 of 5 (697 views)
Permalink
On Mon, 10 Jun 2002, Harald Schueler wrote:

> When trying to convert our outgoing servers to Exim 4, I noticed that
> "auth_over_tls_hosts" is gone (handled by ACLs). Unfortunately AUTH is
> now always advertised, even if it is only possible over TLS.

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

In other words: "If $tls_cipher is unset, advertise to no hosts;
otherwise, advertise to all hosts."

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
Re: Exim 4 and AUTH over TLS only [ In reply to ]
schueler at hrz
Jun 10, 2002, 3:08 AM
Post #4 of 5 (698 views)
Permalink
Philip Hazel wrote:
> On Mon, 10 Jun 2002, Harald Schueler wrote:
>
>>When trying to convert our outgoing servers to Exim 4, I noticed that
>>"auth_over_tls_hosts" is gone (handled by ACLs). Unfortunately AUTH is
>>now always advertised, even if it is only possible over TLS.
>
> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
>
> In other words: "If $tls_cipher is unset, advertise to no hosts;
> otherwise, advertise to all hosts."

Ah, the power of expansion... 8) That was just what I was looking for.

Could/should this be done automatically by convert4r4?

--
Harald Schueler

Universitaet Essen, Hochschulrechenzentrum,
Essen, Germany. Phone: +49 201 1832998
Re: Exim 4 and AUTH over TLS only [ In reply to ]
ph10 at cus
Jun 11, 2002, 1:00 AM
Post #5 of 5 (698 views)
Permalink
On Mon, 10 Jun 2002, Harald Schueler wrote:

> > In other words: "If $tls_cipher is unset, advertise to no hosts;
> > otherwise, advertise to all hosts."
>
> Ah, the power of expansion... 8) That was just what I was looking for.
>
> Could/should this be done automatically by convert4r4?

I suspect not, because it would be too tricky to unpick a general
auth_over_tls_hosts setting. I am, however, intending to put this
example into the next edition of the Exim 4 manual.


--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal