Nigel Metheringham edited this page Nov 29, 2012 · 2 revisions

Q0741

Question

How can I get Outlook Express to use TLS when authenticating?

Answer

If you check auth required in OE, it will authenticate as soon as it sees AUTH LOGIN, in preference to STARTTLS. The trick is to advertise things to OE in a certain order. The first EHLO should advertise STARTTLS but not AUTH, and only the second EHLO (after TLS starts) should advert AUTH. One way of achieving this is to put, in the main section of your Exim configuration:

auth_advertise_hosts = ${if eq{$tls_cipher}{}{127.0.0.1}{*}}

This means that the only host to which AUTH is advertised is 127.0.0.1 when the session is not encrypted (that is, before TLS has started). The idea here is that there's no need for encryption for anything coming via the loopback interface. For an encrypted session, however, AUTH is advertised to all hosts. You can also block the AUTH command itself for unencrypted connections, by creating an ACL for acl_smtp_auth that is something like this:

accept  encrypted = *
accept  hosts = 127.0.0.1
deny    message = TLS encryption required before AUTH

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.