-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
hi fred,
> | i'm fairly certain that's on purpose:
>
> I figured so.
>
> | auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
heh. never quite certain at that hour ...
> | the idea being, unless a sending client is using TLS, don't advertise
> anything ... hence
> | (eventually) 'enforcing' use of TLS, no?
>
> Maybe, but I thought the main issue is with allowing plain text AUTH
> mechanisms on an unencrypted connection, where they are vulnerable to
> sniffing.
yup. iiuc, that seems to be the most oft mentioned , 'main' issue ..
this is just my effort to feed my OCD daemons ...
i do not _think_ it's causing any problems _here_ tho, but it will get
temporarily disabled
while figuring this out ...
> But that's not a problem with CRAM-MD5 mechanism, so it's also
> reasonable to use server_advertise_condition in the plain text
> authenticators to exclude them from the advertised list on
> unencrypted connections, allowing AUTH CRAM-MD5 to be used. That's
> what I would do, anyway...
yup. already there:
sasl_plain:
driver = cyrus_sasl
server_set_id = $1
public_name = PLAIN
server_service = smtp
server_hostname = $primary_hostname
server_realm = $primary_hostname
server_advertise_condition = ${if !eq\
{}\
{$tls_cipher}\
}
cheers,
richard
- --
/"\
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews
fingerprint: 3F07 3CFD 138A FD91 A4A6 1840 1A7A 8CCB 882F 67A1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
iEYEAREDAAYFAkNKkDoACgkQGnqMy4gvZ6H3wQCfW4Seid983AwZMiozG1joUHmu
UM8AnjarNSBR7+YbUvFgzDPkNPuaEeRX
=MAyh
-----END PGP SIGNATURE-----
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/