On 2014-01-23 at 15:46 +0100, basti wrote: > * OK [CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT > THREAD=REFERENCES SORT AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE ACL ACL2=UNION]
Okay, you have an authentication store which is _probably_ storing the cleartext passwords, or which might be storing multiple transforms of the password. > I want to use the same on SMTP/Exim side of my Mailsystem. How is Courier authentication configured? You should be able to access the same password store in Exim, for unified passwords to send and receive email, with CRAM-MD5 and friends all supported by Exim. For instance, if Courier is still using `/etc/userdbshadow.dat` then you can use a `dbmnz` lookup in Exim to retrieve the password for the user, in the `server_secret` option of an authenticator. If Courier is configured to use Cyrus SASL db storage, then you can do the same with Exim, using either `cyrus_sasl` or `gsasl` as the backend provider. `cyrus_sasl` works in conjunction with the existing tools, where using `gsasl` against the same store provides a simpler setup with fewer moving parts, which is easier to debug. Without knowing where the actual authentication data is stored, and how it's stored, I can't be more specific in my guidance; you might look at the example here: <http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_gsasl_authenticator.html> for guidance on using gsasl with a Cyrus password store. Exim is _flexible_ and can be set up to work with what you already have, but that means there's no One Right Way to do things. > Which technique do you prefer for: > > port 25/465 or 587 > SSL/TLS with Encrypted password Email submission should be on 465 and 587. The standards say 587 with STARTTLS, 465 is SSL-on-connect, some clients support just one or the other, there's no reason not to provide both in Exim: the attack surface is the same, you're not going to be using the 465 port for another purpose on the same IP as you're providing mail-service, so just go ahead and provide both. daemon_smtp_ports = 25 : 465 : 587 tls_on_connect_ports = 465 You should probably default all authentication to be dependent upon $tls_cipher being defined; then, if you find a mail _client_ (MUA) which doesn't support TLS, you can consider allowing the non-disclosure authentication mechanisms (anything _other_ than PLAIN or LOGIN) over non-TLS. But requiring TLS is likely to work more reliably and more smoothly, because it avoids half-baked poor implementations of channel security layers derived from authentication (you don't want to know the gory details). -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
