On Fri, Jun 22, 2007 at 12:31:45PM +1000, Ian Wienand wrote: > I wrote a blog post about getting exim to use SMTP AUTH over a secure > tunnel, and it has elicited several responses. Clearly there is a > need for the package to do this.
I disagree. SMTP-over-SSL is a non-standardized protocol, only Microsoft clients use it, only braindead ISPs offer it as the only method of access, and TCP/465 has recently been assigned by IANA to a service that is _NOT_ SMTP-over-SSL because Microsof hijacked the port without properly registering it. I do _NOT_ think that the Debian package should allow this abuse out-of-the-box. I am willing, though, to document this as an example. > +.ifdef SMARTHOST_ALLOW_SELF_SEND > + # Setting this allows exim to use localhost as a smarthost > + # This might be useful if you have a secure tunnel > + # to a remote SMTP server (on another port) on your local machine > + self = send > +.endif > no_more This can probably be circumvented by putting a second address (for example 127.0.1.1) on lo, and use this address for the target. I need to try that. > diff -ur > ../exim4-4.67/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost > ./debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost > --- > ../exim4-4.67/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost > 2007-06-22 11:28:21.000000000 +1000 > +++ ./debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost > 2007-06-22 12:21:32.000000000 +1000 > @@ -25,3 +25,9 @@ > .ifdef REMOTE_SMTP_RETURN_PATH > return_path = REMOTE_SMTP_RETURN_PATH > .endif > +.ifdef REMOTE_SMTP_HOSTS_REQUIRE_AUTH > + hosts_require_auth = REMOTE_SMTP_HOSTS_REQUIRE_AUTH > +.endif > +.ifdef REMOTE_SMTP_PORT > + port = REMOTE_SMTP_PORT > +.endif This modifies the _main_ smarthost router which I do not find acceptable. The example should establish its own remote_smtp_smarthost_smtp_over_ssl router. The port can now natively handled in debconf by specifying 127.0.0.1::465 as smarthost (see man update-exim4.conf.conf). Additionally, I don't see the need for hosts_require_auth. If the remote host advertises SMTP AUTH, and exim has a password for this host, it will automatically try to authenticate. > + Then, open a tunnel to the remote mail server using a tool > + such as <filename>stunnel</filename> (this usually tunnels > + port 465). Please give an example commandline, and instructions about how to keep the tunnel daemon up while the system runs. Maybe it would be possible to have exim spawn an stunneld, talk to it through a socket and have it terminate automatically once the message was transmitted. > In the + macros file (see <xref > linkend="macros"/>) add the following + </para> + <orderedlist> + > <listitem> + <simpara> + AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true + > </simpara> + <simpara> + This forces Exim to send the > username/password + unencrypted via the encrypted tunnel. + And this also allows exim to authenticate to other hosts unencrypted. Not acceptable for the package. Executive summary: I don't like the way do things, and I do not consider them mature and elegant enough to be included with the package. They are fine for an external HOWTO, but I am not prepared to deal with users asking for help with the setup. I have outlined which parts of your instructions I do not like and would appreciate if you would look after them. Maybe they can be beautified to qualify as example to be included with the package. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
