Bug#430057: exim4-config: Some macros and documentation to facilitate easier config of SMTP AUTH

Fri Jun 22 16:08:46 UTC 2007

On Fri, Jun 22, 2007 at 12:31:45PM +1000, Ian Wienand wrote:
> I wrote a blog post about getting exim to use SMTP AUTH over a secure
> tunnel, and it has elicited several responses.  Clearly there is a
> need for the package to do this.

I disagree. SMTP-over-SSL is a non-standardized protocol, only
Microsoft clients use it, only braindead ISPs offer it as the only
method of access, and TCP/465 has recently been assigned by IANA to a
service that is _NOT_ SMTP-over-SSL because Microsof hijacked the port
without properly registering it. I do _NOT_ think that the Debian
package should allow this abuse out-of-the-box.

I am willing, though, to document this as an example.

> +.ifdef SMARTHOST_ALLOW_SELF_SEND
> +  # Setting this allows exim to use localhost as a smarthost
> +  # This might be useful if you have a secure tunnel
> +  # to a remote SMTP server (on another port) on your local machine
> +  self = send
> +.endif
>    no_more

This can probably be circumvented by putting a second address (for
example 127.0.1.1) on lo, and use this address for the target. I need
to try that.

> diff -ur ../exim4-4.67/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost ./debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost
> --- ../exim4-4.67/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost	2007-06-22 11:28:21.000000000 +1000
> +++ ./debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost	2007-06-22 12:21:32.000000000 +1000
> @@ -25,3 +25,9 @@
>  .ifdef REMOTE_SMTP_RETURN_PATH
>    return_path = REMOTE_SMTP_RETURN_PATH
>  .endif
> +.ifdef REMOTE_SMTP_HOSTS_REQUIRE_AUTH
> +  hosts_require_auth = REMOTE_SMTP_HOSTS_REQUIRE_AUTH
> +.endif
> +.ifdef REMOTE_SMTP_PORT
> +  port = REMOTE_SMTP_PORT
> +.endif

This modifies the _main_ smarthost router which I do not find
acceptable. The example should establish its own
remote_smtp_smarthost_smtp_over_ssl router. The port can now natively
handled in debconf by specifying 127.0.0.1::465 as smarthost (see man
update-exim4.conf.conf). Additionally, I don't see the need for
hosts_require_auth. If the remote host advertises SMTP AUTH, and exim
has a password for this host,  it will automatically try to
authenticate.

> +          Then, open a tunnel to the remote mail server using a tool
> +          such as <filename>stunnel</filename> (this usually tunnels
> +          port 465).

Please give an example commandline, and instructions about how to keep
the tunnel daemon up while the system runs.

Maybe it would be possible to have exim spawn an stunneld, talk to it
through a socket and have it terminate automatically once the message
was transmitted.

>   In the + macros file (see <xref
>   linkend="macros"/>) add the following + </para> + <orderedlist> +
>   <listitem> + <simpara> + AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true +
>   </simpara> + <simpara> + This forces Exim to send the
>   username/password + unencrypted via the encrypted tunnel. +

And this also allows exim to authenticate to other hosts unencrypted.
Not acceptable for the package.

Executive summary: I don't like the way do things, and I do not
consider them mature and elegant enough to be included with the
package. They are fine for an external HOWTO, but I am not prepared to
deal with users asking for help with the setup.

I have outlined which parts of your instructions I do not like and
would appreciate if you would look after them. Maybe they can be
beautified to qualify as example to be included with the package.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190