On 2010-08-12 at 09:20 -0400, Edward Harvey wrote: > So here's what I learned: No, it's not bad for AUTH PLAIN to be displayed > at this point. I was wrong in my understanding of how this flow would go. > I mistakenly thought that TLS didn't begin until the STARTTLS command was > given. But upon closer inspection, I telnet'd to the mail server, and saw > in the logs that TLS had already begun before I even typed a single > character. So naturally, when I run my first EHLO, the advertisement of > AUTH PLAIN was present.
tls_on_connect_ports should only list the ports where you want immediate SSL rather than STARTTLS. For compatibility with Outlook that will be port 465 in most corporate setups. > However, if I typed in AUTH PLAIN, and tried to submit a username/password > unencrypted in plain text, the server was expecting something base64 > (which obviously I didn't type) and if I typed in AUTH LOGIN (after I > enabled auth login) then the server sent me some encrypted characters. AUTH PLAIN is three NUL-separated sections, which for the SMTP profile is wrapped in Base 64. In practice the first will be empty, so it's base64(<NUL>usercode<NUL>password). > So the conclusion is: The server starts TLS in its own brain, before the > client even requests it. However, the client cannot encrypt/decrypt any > of that, until the client does the STARTTLS. And while TLS is running, If the client is not expecting to be speaking TLS but the server is, then you'll have a mismatch. > only some specific fields are encrypted. Username/password, and even the > username/password prompt are all encrypted. But not the "rcpt" and "from" > and "data" commands and so forth. Uhm, I think you have yourself thoroughly confused. SSL/TLS provide stream protection and are agnostic when it comes to the protected content. > AUTH PLAIN is not sufficient to support Outlook. I managed to solve all > of the above, by enabling AUTH LOGIN as well as AUTH PLAIN. Now > everything works fine. Outlook, unlike your testing with Telnet, will be using SSL to port 465, and yes it requires AUTH LOGIN, which is just base64-wrapping of Usercode/Password interactive login, rather than AUTH PLAIN. I believe it also can support NTLM, which Exim supports with the SPA authenticator. Pass-thru with this will not work though; if you can get access to the mail password via LDAP then you could still support it. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
