------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
http://www.exim.org/bugzilla/show_bug.cgi?id=512 Summary: [PATCH] Let client authentication depend upon TLS being present Product: Exim Version: N/A Platform: Other OS/Version: All Status: NEW Keywords: work:tiny Severity: wishlist Priority: medium Component: SMTP Authentication AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] QAContact: [email protected] A man-in-the-middle attack could strip STARTTLS from the EHLO response codes. If a cleartext authentication protocol is configured then this can leak authentication credentials so that they can be sniffed. I'll attach a patch which: * adds "client_attempt_condition" as an analogue to "server_advertise_condition" * adds a new variable "connection_tls_cipher", only set during the smtp transport * does not include documentations because * I suck * I may have done this badly My recollection is that a process performing outbound SMTP won't be re-used so it's safe to "set and forget" a global variable in the way that this patch does. This is what I've probably gotten wrong ... Testing consisted of: 1: client_attempt_condition = ${if def:connection_tls_cipher} 2: send mail via GMail Submission (PLAIN) 3: client_attempt_condition = no 4: send another mail, see it blocked in queue; run "exim -d -qff" and verify that no matching authenticator is found 5: restore client_attempt_condition 6: watch mail get sent out Feedback welcome. Variable renames fully expected. -Phil Pennock -- Configure bugmail: http://www.exim.org/bugzilla/userprefs.cgi?tab=email -- ## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
