FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 10-05-2008, 09:29 PM
"Thomas H. George"
 
Default exim4 authentication in etch? - SUCCESS!

Thomas H. George wrote:

P. Lane wrote:

On Fri, Oct 03, 2008 at 05:56:35PM -0400, Thomas H. George wrote:

Tried *:my-user-name:my-password with the same result:
Authentication Required.


Poured through the /usr/share/doc/exim4 documentation (also
exim4-base and exim4-config) which insist there is a file
exim4-conf-localmacros which can be set to modify line 1895 .ifndef
AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS in the exim4-conf-template file.
I have done all sorts of searches for exim4-conf-localmacros without
success but there is a directory /etc/exim4/conf.d/auth which
contains a dummy file 00_exim4-config_header and a file
30_exim4-config_examples duplicating the relevant section of the
exim-conf-template file. If this is what is meant to be a macro I
don't know how to use it. I tried brute force - i.e. changing line
1895 to AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true. update-exim4.conf
did not like this.


Tom


Hello, I went through this also as I have Verizon as outgoing smarthost.
If you are using the single config file option for creating your
template

you will have to create the "exim4.conf.localmacros" file with the line
AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true
Save it to the /etc/exim4 directory with root permissions and then
run update-exim4.conf.



This sounds right to me but I haven't got it to work. I created the
file exim4.conf.localmacros with root:root ownership and xrw
permissions containing just the line


AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true

and ran update-exim4.conf. I expected it to modify the two lines in
exim4.conf.template which read


.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS


but they are unchanged and when trying to send mail with exim4 I still
get authentication required.


Tom



I found I had to add two lines to the macro:

|MAIN_TLS_ENABLE = true|
|AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS=yes|

after which I stopped exim4, ran update-exim4.conf and restarted exim4.
After this exim4 successfully sent a message.


In the process I finally understood that the macro causes
update-exim4.conf to modify the /var/lib/exim4/config.autogenerated file
rather than the exim4.conf.template file. Neat. As the Dean of the
Physics Dept (a theoretical physicist) used to say, "Dumb but a plodder."


Tom


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-06-2008, 10:45 PM
Chris Davies
 
Default exim4 authentication in etch? - SUCCESS!

Thomas H. George <lists@tomgeorge.info> wrote:
> I found I had to add two lines to the macro:

> |MAIN_TLS_ENABLE = true|
> |AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS=yes|

> after which I stopped exim4, ran update-exim4.conf and restarted exim4.
> After this exim4 successfully sent a message.

What you've done there is to enable TLS (encryption), but then
immediately say that you're happy not to use encryption to protect
your username/password combination. If you're happy exposing your
authentication credentials this will work fine. I wouldn't be.

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-07-2008, 02:47 AM
"s. keeling"
 
Default exim4 authentication in etch? - SUCCESS!

Chris Davies <chris-usenet@roaima.co.uk>:
> Thomas H. George <lists@tomgeorge.info> wrote:
> > I found I had to add two lines to the macro:
>
> > |MAIN_TLS_ENABLE = true|
> > |AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS=yes|
>
> > after which I stopped exim4, ran update-exim4.conf and restarted exim4.
> > After this exim4 successfully sent a message.
>
> What you've done there is to enable TLS (encryption), but then
> immediately say that you're happy not to use encryption to protect
> your username/password combination. If you're happy exposing your
> authentication credentials this will work fine. I wouldn't be.

So, the answer is to avoid providers who require this? Or is there
any alternative action he could employ?


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-07-2008, 09:57 AM
Chris Davies
 
Default exim4 authentication in etch? - SUCCESS!

Thomas H. George <lists@tomgeorge.info> wrote:
> |MAIN_TLS_ENABLE = true|
> |AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS=yes|

Chris Davies <chris-usenet@roaima.co.uk>:
> What you've done there is to enable TLS (encryption), but then
> immediately say that you're happy not to use encryption to protect
> your username/password combination.

s. keeling <keeling@nucleus.com> wrote:
> So, the answer is to avoid providers who require this? Or is there
> any alternative action he could employ?

Fair question. Re-reading the exim4 configuration code again, I can see
that MAIN_TLS_ENABLE is required. (Without it, it seems that none of
the certificate configuration settings is included.) I forgot to mention
this in my original suggestion because I've had it enabled for so long

I'm still puzzled why the OP needs the AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
setting, which I also have mis-represented above. For correction, it
allows inbound client connections to one's own server to use passwords
without TLS encryption.

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-07-2008, 02:22 PM
"Thomas H. George"
 
Default exim4 authentication in etch? - SUCCESS!

Chris Davies wrote:

Thomas H. George <lists@tomgeorge.info> wrote:


|MAIN_TLS_ENABLE = true|
|AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS=yes|



Chris Davies <chris-usenet@roaima.co.uk>:


What you've done there is to enable TLS (encryption), but then
immediately say that you're happy not to use encryption to protect
your username/password combination.



s. keeling <keeling@nucleus.com> wrote:


So, the answer is to avoid providers who require this? Or is there
any alternative action he could employ?



Fair question. Re-reading the exim4 configuration code again, I can see
that MAIN_TLS_ENABLE is required. (Without it, it seems that none of
the certificate configuration settings is included.) I forgot to mention
this in my original suggestion because I've had it enabled for so long

I'm still puzzled why the OP needs the AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
setting, which I also have mis-represented above. For correction, it
allows inbound client connections to one's own server to use passwords
without TLS encryption.



This discussion makes me wonder about the iceape use of the
username/password combination. For iceape it is simple and easy to
enter the information yet for me the exim4 setup required a lot of
research which suggests possible security issues. First, is there a
security issue? I am only providing the username/password without TLS
when specifically addressing the verizon server and asking access to the
internet to send a message. To collect messages from my ISP I do not
need to do this. For example, the fetchmail setup required the ISP
username and password and then retrieved messages before I ever
configured exim4. In fact, I only tried to configure and use exim4
because I rather liked using fetchmail and mutt to read postings to the
debian-user list. As long as I am just reading the postings nothing
more needs to be done. It is only when I wish to reply to the list from
mutt that exim4 is required. If, instead, I abandon fetchmail and mutt
and use iceape to read and reply to postings I never need exim4 at all.


Should I worry about this?

Tom


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-07-2008, 03:02 PM
Andrei Popescu
 
Default exim4 authentication in etch? - SUCCESS!

On Tue,07.Oct.08, 10:22:18, Thomas H. George wrote:

[snip security concerns]

> Should I worry about this?

The SMTP (used by exim) and POP (used by fetchmail) protocols are not
very secure by default, which is probably one of the reasons we now have
such a huge problem with spam. Only recently more and more ISPs are
using the option to tunnel these protocols inside an encrypted
connection (SSL, TLS, whatever).

I'm not familiar with Iceape, but as far as I know, most GUI mail
clients will default to using non-secure connections, unless
specifically configured to use secure connections (but the server has to
support it as well). This means that anyone on the internet can "listen"
to the traffic between you and the server and snoop your passwords and
the entire mails.

OTOH, you are just another needle in a huge haystack and I doubt anyone
(except maybe the NSA or similar entities) has the means to watch all
such traffic.

Personally I do appreciate when the ISPs are using the security options
available, even if it's just to cut down on the spam.

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
 
Old 10-08-2008, 03:40 PM
"Thomas H. George"
 
Default exim4 authentication in etch? - SUCCESS!

Andrei Popescu wrote:

On Tue,07.Oct.08, 10:22:18, Thomas H. George wrote:

[snip security concerns]



Should I worry about this?



The SMTP (used by exim) and POP (used by fetchmail) protocols are not
very secure by default, which is probably one of the reasons we now have
such a huge problem with spam. Only recently more and more ISPs are
using the option to tunnel these protocols inside an encrypted
connection (SSL, TLS, whatever).


I'm not familiar with Iceape, but as far as I know, most GUI mail
clients will default to using non-secure connections, unless
specifically configured to use secure connections (but the server has to
support it as well).


Iceape server security settings offer a choice of Never TLS-if available
TLS SSL and an additional check box to require secure authentication. -
Tom
This means that anyone on the internet can "listen"
to the traffic between you and the server and snoop your passwords and
the entire mails.


OTOH, you are just another needle in a huge haystack and I doubt anyone
(except maybe the NSA or similar entities) has the means to watch all
such traffic.


Personally I do appreciate when the ISPs are using the security options
available, even if it's just to cut down on the spam.


Regards,
Andrei




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 02:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org