[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: how to verify which clients are using start_tls
Today at 3:47pm, Bradley W. Langhorst wrote:
> I'm using "ssl start_tls" instead of "ssl on" because I want to allow
> connections by mail clients, etc for access to non-sensitve information.
>
> I don't want any authenticated access happening in the clear but I don't
> know how to enforce that policy.
I'm using the ssf= parameter in my acl on userpassword as follows:
access to attr=userpassword
by ssf=112 anonymous auth
by * none
I dunno if that is the best way, since it does allow the client to send
the bind in the clear, it just refuses to allow it to authenticate.
However, the fact the client sent it means some nasty person could have
seen it.
--
Frank Swasey | http://www.uvm.edu/~fcs
Systems Programmer | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
=== God Bless Us All ===