On Sat, 1 Jun 2013 15:06:40 -0400, Chris Knadle <chris.kna...@coredump.us> wrote: >I can understand why one would want this, but I can also understand why it >hasn't been done. Without first setting up TLS, this would involve passing a >username/password over the 'net in the clear, which is something I try hard to >never ever have happen. This is especially something you don't want to do if >it's your own personal email login, which is a likely use case for this >proposed debconf code. :-/
Exim's default in the packages is not to send authentication data over a non-encrypted connection. The debconf code could try to check whether the smarthost allowes TLS, and if not, query the user whether it is ok to send the password over a non-encrypted connection. > In this example, the FQDN of the local machine is orac.example.com > and the smarthost machine is smtp.example.com > > Create new file /etc/exim4/exim4.conf.localmacros containing: > > MAIN_TLS_ENABLE = true > primary_hostname = orac.example.com I don't think you need MAIN_TLS_ENABLE to to TLS as a client. > Modify /etc/exim4/exim4.conf.template for the remote_smtp_smarthost > to change the sending port to 587. (In the U.S. there are a lot of > ISPs that block outbound port 25 except for the ISP's mail servers): > > ... > remote_smtp_smarthost: > debug_print = "T: remote_smtp_smarthost for $local_part@$domain" > driver = smtp > port = 587 # <--- add this line > ... You can set sc_smarthost to hostname::587 without having to change the transport, see update-exim4.conf(8) or the debconf template for dc_smarthost. > Modify /etc/exim4/passwd.client to add a smarthost:username:password > triplet for sending email: > > smtp.example.com:Orac:SillyPassword That's what I'd want to be debconfed > On the mail server machine (i.e. smtp.example.com), make an MD5 > passowrd hash of the password used on the client machine via command: > > #mkpasswd -H md5 SillyPassword > $1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1 > > Then modify /etc/exim4/passwd on the server to add a > username:hashed_passwd:passwd triplet for the client: > > Orac:$1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1:SillyPassword You also can a more modern hash if the server is Debian exim as well. >As I mentioned previously, the reason I go through making a new >username/password pair for each client is so that I don't risk a personal >email account, and so that I can revoke any one machine's email login at the >server in case of a client compromise of some kind. Wise. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ujfxo-0005bm...@swivel.zugschlus.de