Wiki

User Tools

Site Tools

Trace:
exim4:enable_smtp-auth_with_pam

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
exim4:enable_smtp-auth_with_pam [2016/11/07 14:19] peterexim4:enable_smtp-auth_with_pam [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 10: Line 10:
 ===== Configuring exim ===== ===== Configuring exim =====
  
-<file>+<file bash /etc/exim4/exim4.conf.template>
 tls_advertise_hosts = * tls_advertise_hosts = *
 +</file>
 +
 +Make sure authentication is only enabled on an encrypted connection.  This is due to the fact that passwords would otherwise be sent in clear text:
 +
 +<file bash /etc/exim4/exim4.conf.template>
 auth_advertise_hosts = ${if def:tls_in_cipher {*}{}} auth_advertise_hosts = ${if def:tls_in_cipher {*}{}}
 +</file>
 +
 +and 
  
 +<file bash /etc/exim4/exim4.conf.template>
 begin authenticators begin authenticators
  
Line 29: Line 38:
 </file> </file>
  
 +Add or modify the following
 +
 +<file bash /etc/exim4/exim4.conf.template>
 +begin authenticators
 +
 +#########################################################################
 +plain_server:
 +
 +  # This authenticator implements the PLAIN authentication mechanism
 +  # (RFC2595).  Since the password is transmitted essentially as clear
 +  # text, a user can only authenticate if the session is encrypted using
 +  # TLS.  The user name and password is first checked against
 +  # /etc/exim4/passwd, then against the system database using PAM (in
 +  # that order).
 +
 +  driver                     = plaintext
 +  public_name                = PLAIN
 +  server_advertise_condition = ${if eq{$tls_cipher}{}{false}{true}}
 +  server_prompts             = :
 +  server_set_id              = $auth2
 +
 +  server_condition           = "\
 +        ${if exists{CONFDIR/passwd}\
 +          {${lookup{$auth2}lsearch{CONFDIR/passwd}\
 +            {${if crypteq{$auth3}{\\\{md5\\\}${extract{1}{:}{$value}{$value}fail}}\
 +              {true}{false} }}\
 +            {${if pam{$auth2:${sg{$auth3}{:}{::}} }\
 +              {true}{false}} } }}\
 +          {${if pam{$auth2:${sg{$auth3}{:}{::}} }\
 +            {true}{false}} }}"
 +
 +#########################################################################
 +login_server:
 +
 +  # This authenticator implements the LOGIN authentication mechanism.
 +  # Since the password is transmitted essentially as clear text, a user
 +  # can only authenticate if the session is encrypted using TLS.  The
 +  # user name and password is first checked against /etc/exim4/passwd,
 +  # then against the system database using PAM (in that order).
 +
 +  driver                     = plaintext
 +  public_name                = LOGIN
 +  server_advertise_condition = ${if eq{$tls_cipher}{}{false}{true}}
 +  server_prompts             = Username:: : Password::
 +  server_set_id              = $auth1
 +  server_condition           = "\
 +        ${if exists{CONFDIR/passwd}\
 +          {${lookup{$1}lsearch{CONFDIR/passwd}\
 +            {${if crypteq{$auth2}{\\\{md5\\\}${extract{1}{:}{$value}{$value}fail}}\
 +              {true}{false} }}\
 +            {${if pam{$auth1:${sg{$auth2}{:}{::}} }\
 +              {true}{false}} } }}\
 +          {${if pam{$auth1:${sg{$auth2}{:}{::}} }\
 +            {true}{false}} }}"
 +</file>            
 +
 +
 +<WRAP caution>
 +**NOTE**:  It's important to use \\\{md5\\\} instead of \{md5\} in the crypteq function.
 +</WRAP>
 ===== PAM config ===== ===== PAM config =====
  
Line 50: Line 119:
 535 Incorrect authentication data (set_id='userid') 535 Incorrect authentication data (set_id='userid')
 </code> </code>
 +
 +
 +===== Configuring /etc/exim4/passwd =====
 +
 +
 +<file bash /etc/exim4/passwd>
 +#########################################################################
 +#    /etc/exim4/passwd: Client Passwords for Mail Submission to Exim    #
 +#########################################################################
 +
 +# This file allows a user to authenticate a mail submission to the Exim
 +# MTA without using their system password (found in /etc/shadow).
 +#
 +# Each line of this file should contain a "user:password:comment" field,
 +# where the password is encrypted using MD5 and encoded as a hexadecimal
 +# string.  Please note that this format is NOT the same as is used by
 +# /etc/shadow!  You can disable a user from ever sending (authenticated)
 +# messages by using "*" as the password.
 +#
 +# You can use the following Perl command line to generate the password:
 +#
 +#  perl -MDigest::MD5=md5_hex -e 'print md5_hex($ARGV[0]),"\n"' password
 +#
 +# (replace "password" with your password, of course).
 +
 +####################
 +#   System users   #
 +####################
 +
 +root:*:
 +
 +###################
 +#   Local users   #
 +###################
 +
 +#test:68772f0946d616e78f18452f84e39da7:Test#Password#01a
 +</file>
 +
 +The easiest way to generate a password is to use the Digest::MD5 package with Perl:
 +
 +<code bash>
 +perl -MDigest::MD5=md5_hex -e 'print md5_hex($ARGV[0]),"\n"' password
 +</code>
 +
 +Simply replace **password** with your password.
 +
 +
 +<WRAP notice>
 +**NOTE**:  The Perl **md5_base64** function is not compatible with Exim's **crypteq**: the former generates a 22-character string, the latter expects a 24-character string (i.e., it expects two additional characters, ==, on the end of the string).
 +</WRAP>
 +
  
  
exim4/enable_smtp-auth_with_pam.1478528368.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki