Bug#314296: Re: Bug#314296: exim4 NOT verifying server certificate
Quoting Marc Haber <[EMAIL PROTECTED]>: > Take a look at the bug reports against exim4, and see what scenarios > we have to worry about. Roommates sharing a mail server, using > differnet freemailers which all of them demand that their addresses > get relayed through their smarthosts are quite common, and this is a > case where your setup breaks. That's why I am suggesting adding a macro, instead of hardcoding the option in the smarthost transport definition. Users can easily enable verification of server certificate by adding the macro to exim4.conf.localmacros. It will be an even better idea if debconf can offer a check box on the smarthost prompt screen for enabling server certificate verification. Wenzhuo
Bug#314296: Re: Bug#314296: exim4 NOT verifying server certificate
On Sun, Jun 19, 2005 at 01:29:57AM +0200, Marc Haber wrote: > SMTP AUTH over TLS with actual verification of the server certificate > is not very common nowadays. Most MUA programs will verify the server certificate if you ever enable TLS. > Where should the package automatically obtain the CA certificate to > verify the server against? How to handle the case of delivering two MAIN_TLS_VERIFY_CERTIFICATES. > different smarthost, one of them having a self-signed certificate? Since we're talking about the Debian package and its configuration utility, do we have to worry about complicated scenarios? Regards, Wenzhuo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#314296: Re: Bug#314296: exim4 NOT verifying server certificate
On Sat, Jun 18, 2005 at 10:59:37AM +0200, Marc Haber wrote: > As Andreas spotted correctly, conf.d/main/03_exim4-config_tlsoptions > only controls verification of the client certificates. For server > certificate checking, you need to add the configuration option to the > SMTP transport. > > I am reluctant to add infrastructure for this to the default > configuration, since this is quite rarely used, and could break mail > delivery. My personal experiences tell me that SMTP AUTH over TLS is a very common setup. > I have, however clarified the documentation in > conf.d/main/03_exim4-config_tlsoptions to clearly say that this option > here only concernd client certificates and added a hint where to > configure server certificate verification. How about adding a macro, say MAIN_TLS_VERIFY_SMARTHOST, to conf.d/transport/30_exim4-config_remote_smtp_smarthost? > The SMTP account you have created is therefore not needed any more and > can be removed. I'll leave it there for the moment. Forgot to tell you last time that the CA certificate is available at http://mail.linux-vs.org/cacert.crt. > If there is anything more we can do for you, please feel free to > re-open the bug that Andreas closed. Thanks, Wenzhuo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#314296: exim4 NOT verifying server certificate
On Thu, Jun 16, 2005 at 01:04:30AM +0200, Marc Haber wrote: > > Isn't tls_verify_certificates supposed to verify the server certificate > > as well? > > It should. However, that code is not very well tested. Can you give me > an SMTP AUTH account on the smarthost to try it myself? Sure. The SMTP server supports PLAIN/LOGIN authentication mechanisms over TLS. The username of the test account is "debian". I'll send you the password through another message. You can forward it to other Debian developers. Regards, Wenzhuo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#314296: exim4 NOT verifying server certificate
Package: exim4 Version: 4.50-8 Severity: important The Postfix smarthost allows relay only if clients successfully authenticate (SMTP AUTH) through a TLS session. If it's a plain-text session, SMTP clients won't be able to authenticate. The SSL certficate of the smarthost is signed by a do-it-yourself CA. exim4 client can relay through the smarthost, and I have the following entries in /etc/exim4/exim4.conf.localmacros: MAIN_TLS_VERIFY_CERTIFICATES = /etc/exim4/cacert.crt MAIN_TLS_VERIFY_HOSTS = mail.linux-vs.org /etc/exim4/cacert.crt is the certificate of the do-it-yourself CA. However, even after I replace it with a random authorized CA certificate and restart the exim4 daemon, the exim4 client can still relay through the smarthost. Isn't tls_verify_certificates supposed to verify the server certificate as well? Wenzhuo -- Package-specific info: Exim version 4.50 #1 built 27-May-2005 08:08:19 Copyright (c) University of Cambridge 2004 Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Support for: iconv() IPv6 GnuTLS Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Configuration file is /var/lib/exim4/config.autogenerated # /etc/exim4/update-exim4.conf.conf # # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config' # # Please note that this is _not_ a dpkg-conffile and that automatic changes # to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess # around with multiple versions of the file. # # update-exim4.conf uses this file to determine variable values to replace # the DEBCONFsomethingDEBCONF strings in the configuration template files. # # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them. # # This is a Debian specific file dc_eximconfig_configtype='smarthost' dc_other_hostnames='thinkpad.zhmail.com' dc_local_interfaces='127.0.0.1' dc_readhost='zhmail.com' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='mail.linux-vs.org' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='true' dc_mailname_in_oh='true' mailname:thinkpad.zhmail.com -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.31-t20.1 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages exim4 depends on: ii exim4-base4.50-8 support files for all exim MTA (v4 ii exim4-daemon-light4.50-8 lightweight exim MTA (v4) daemon -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#312694: scim does not get loaded automatically under zh_CN locale
Hi, Ming Hua On Fri, Jun 10, 2005 at 07:05:55PM -0500, Ming Hua wrote: > I can reproduce this, however it's not a bug in scim per se, but rather > the expected behaviour with no special settings for scim. > > When you say that scim works in C locale, did you ever really try to use > it to input Chinese (instead of, say, just press Ctrl-space and see the > panel). On most applications input method won't work in C locale, the > only exception I know is gedit. Yes, I tried inputing Chinese in Gimp, Firefox, Gnome Terminal, and didn't experience any problem. > The reason for such behaviour is that with C or en_US locale, the GTK IM > module will be "scim" since you have scim-gtk2-immodule installed. In > such case scim will be automatically started in GTK2 applications, > therefore you can see the scim panel when pressing Ctrl-space. > > However in a zh_CN locale, the GTK IM module will be "xim". In such > case you can still use scim, but it won't be automatically started. To > use scim with XIM, you need to set XMODIFIERS environment variable, and > start up scim manually (or in some startup scripts, ~/.gnomerc for > example). OK, I get it. However, I believe the following two features are very much needed to make Debian an easy-to-use Chinese desktop environment: - Chinese input works by default (no manual configuration required), provided that a Chinese input server is installed. - Easy selection of a default Chinese input engine when there are two or more installed. > All these configuration details are well written in > /usr/share/doc/scim/README.Debian.gz. Please read that document > carefully. If you still have questions, please follow up this bug. Thanks for the pointer. I should have read it before reporting this bug. Among the various alternative methods described in the README, running "set-m17n-env" as a normal user is the simplest solution to my problem. > > I first noticed this problem when upgrading one machine from woody to > > sarge, and reproduced it in another machine using the above fresh > > installation procedure. > > I don't really understand this, since scim and related package are not > in woody at all. How can you have this problem when upgrading from > woody to sarge? Maybe scim is pulled in by Chinese localization task? Yes, I installed scim by installing the Chinese localization tasks. Wenzhuo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#312694: scim does not get loaded automatically under zh_CN locale
Package: scim Version: 1.0.2-3 Severity: important Steps to reproduce the problem: 1. Fresh install from netinst CD 3.1r0a, install Desktop environment task. 2. Install the Simplified Chinese desktop task and the Simplified Chinese environment task using aptitude. 3. Regenerate relevant locales by typing "dpkg-reconfigure locales". 4. Enter Gnome after choosing language. Check if scim works by pressing Ctrl-Space. Result: Scim works in Gnome under en_US or C locale: Press Ctrl-Space, and scim panel appears and Chinese input works. But scim does not get loaded automatically under zh_CN locale: no running scim processes at all. I first noticed this problem when upgrading one machine from woody to sarge, and reproduced it in another machine using the above fresh installation procedure. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.27-2-386 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages scim depends on: ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit ii libc62.3.2.ds1-22GNU C Library: Shared libraries an ii libgcc1 1:3.4.3-13 GCC support library ii libglib2.0-0 2.6.4-1 The GLib library of C routines ii libgtk2.0-0 2.6.4-3 The GTK+ graphical user interface ii libpango1.0-01.8.1-1 Layout and rendering of internatio ii libstdc++5 1:3.3.5-13 The GNU Standard C++ Library v3 ii libx11-6 4.3.0.dfsg.1-14 X Window System protocol client li ii xlibs4.3.0.dfsg.1-14 X Keyboard Extension (XKB) configu -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]