Thanks Dustin, but I don't think I explained the problem very well.
Surprisingly, Outlook doesn't seem to be the issue here - I have all of my
Outlook clients configured to use TLS/SSL with the Exim server and it is
working fine. What I need to do is have Exim not require TLS/SSL at all if
the connection is made from the localhost - SquirrleMail doesn't like the
STARTTLS command (this is documented, support for STARTTLS is in the
experimental build right now) so it needs clear text AUTH LOGIN - it's on
the same machine as Exim and Apache is configured with SSL so I'm not
worried about clear text from SquirrelMail to Exim.
I have found the MAIN_TLS_ADVERTISE_HOSTS setting in the Exim config file,
setting it to ! <server's ip> seems to effectively bypass TLS/SSL for
connections from the localhost and forces TLS/SSL for connections from
remote clients.
All well and good so far, but I need Exim to advertise the AUTH LOGIN at the
proper time:
1) Immediately if from localhost
2) After the TLS/SLL session is established if from remote
I can only get one or the other:
1) Setting server_advertise_condition = 1 will advertise it all the
time - this allows SquirrelMail to auth in clear text, but it seems to give
remote connections a choice - either auth in clear immediately or start a
TLS/SSL session and then auth (with this setting, I've been able to connect
with Outlook both with and without TLS/SSL turned on in Outlook)
2) Setting server_advertise_condition = ${if eq($tls_cipher}{}{}{*}}
will only advertise it if the TLS/SSL session is established, this forces
all connections to wait for the TLS/SSL session before they can auth - since
TLS/SSL is not active for localhost, SquirrelMail can never auth (with this
setting, Outlook will only connect if TLS/SSL is turned on in Outlook)
What I'm looking for a is a way to set server_advertise_condition so that
AUTH LOGIN is advertised immediately for localhost but only after a TLS/SSL
session is established for remote.
I'm thinking what I need is server_advertise_condition = ((${if
eq($tls_cipher}{}{}{*}})) or (connected from localhost)), I just can't
figure out how to write the "or (connected from localhost)" part.
I've looked through the bug list for the experimental build of SquirrelMail,
doesn't seem to be anything major - if I can't get this
server_advertise_condition setting straight, I may just install the
experimental, but I'd rather not since it is experimental and also requires
upgrades of other packages on the server.
James
From: [email protected] [mailto:[email protected]] On Behalf
Of Dustin Puryear
Sent: Thursday, June 04, 2009 2:17 PM
To: [email protected]
Subject: Re: [brlug-general] Exim4 + SquirrelMail
In Outlook, just enable SMTP AUTH in your POP3 or IMAP server configuration.
Ditto for.. Oh. I just looked. I'm not sure it does TLS. Outlook may just
support SSL.
--
Dustin Puryear
President and Sr. Consultant
Puryear Information Technology, LLC
225-706-8414 x112
http://www.puryear-it.com
Author, "Best Practices for Managing Linux and UNIX Servers"
http://www.puryear-it.com/pubs/linux-unix-best-practices/
_____
From: [email protected] [mailto:[email protected]] On Behalf
Of James Kuhns
Sent: Wednesday, June 03, 2009 5:07 PM
To: [email protected]
Subject: [brlug-general] Exim4 + SquirrelMail
Since SquirrelMail doesn't yet support STARTTLS outside of experimental ,
does anyone know how to get Exim4 on Debian Lenny setup so that:
1) remote clients (such as Outlook) have to connect using AUTH LOGIN
through a TLS connection to send
2) SquirrelMail on the same box as Exim4 can send with an AUTH LOGIN in
clear text
I can get one or the other working.
I set MAIN_TLS_ADVERTISE_HOSTS = ! <machine ip here>, to get #1 to work I
set server_advertise_condition = ${if eq($tls_cipher}{}{}{*}}, to get #2 to
work just set server_advertise_condition = 1 (I know this is not correct, I
just wanted to test that SquirrelMail was working with AUTH LOGIN in clear
text.)
In case #1, I get the PIPLINING and STARTTLS advertisements after the EHLO
from remote clients (which work correctly), SquirrelMail from localhost only
gets the PIPELINING advertisement and cannot auth. I need to get an AUTH
LOGIN for localhost.
In case #2 I get PIPELINING and AUTH LOGIN after EHLO for both remote and
local clients. This lets SquirrelMail connect, but it also lets remote
clients in using clear text (since I'm not limiting it to localhost).
I'm guessing what I need is the server_advertise_condition = ${if
eq($tls_cipher}{}{}{*}} or if connected from localhost, I just can't figure
out how to write the " or if connected from localhost" part.
Any help would be appreciated.
James
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.339 / Virus Database: 270.12.52/2152 - Release Date: 06/04/09
05:53:00
_______________________________________________
General mailing list
[email protected]
http://mail.brlug.net/mailman/listinfo/general_brlug.net
