725c9874 |
1 | |
2 | ### auth/30_exim4-config_examples |
3 | ################################# |
4 | |
5 | # The examples below are for server side authentication |
6 | |
7 | # They allow two styles of plain-text authentication against an |
8 | # CONFDIR/passwd file which should have user names in the first column |
9 | # and crypted passwords in the second. The columns need to be separated |
10 | # by ':'. Please note that apache's htpasswd program generates a file |
11 | # in the correct format, but uses a different crypt scheme. So, |
12 | # htpassword will _NOT_ work for exim4. |
13 | |
14 | # For CRAM-MD5 exim needs access to the UNENCRYPTED passwd - the example |
15 | # below assumes it is available in the third column of CONFDIR/passwd |
16 | |
17 | # Hosts that are allowed to use AUTH are defined by the |
18 | # auth_advertise_hosts option in the main configuration. The default is |
19 | # "*", which allows authentication to all hosts over all kinds of |
20 | # connections if there is at least one authenticator defined here. |
21 | # Authenticators which rely on unencrypted clear text passwords don't |
22 | # advertise on unencrypted connections by default. You can set |
23 | # AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to advertise unencrypted clear text |
24 | # password based authenticators on all connections. |
25 | |
26 | # plain_server: |
27 | # driver = plaintext |
28 | # public_name = PLAIN |
29 | # server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" |
30 | # server_set_id = $2 |
31 | # server_prompts = : |
32 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
33 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
34 | # .endif |
35 | # |
36 | # login_server: |
37 | # driver = plaintext |
38 | # public_name = LOGIN |
39 | # server_prompts = "Username:: : Password::" |
40 | # server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" |
41 | # server_set_id = $1 |
42 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
43 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
44 | # .endif |
45 | # |
46 | # cram_md5_server: |
47 | # driver = cram_md5 |
48 | # public_name = CRAM-MD5 |
49 | # server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}} |
50 | # server_set_id = $1 |
51 | |
52 | # Here is an example of CRAM-MD5 authentication against PostgreSQL: |
53 | # |
54 | # psqldb_auth_server: |
55 | # driver = cram_md5 |
56 | # public_name = CRAM-MD5 |
57 | # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$1}'}{$value}fail} |
58 | # server_set_id = $1 |
59 | |
60 | # Authenticate against local passwords using sasl2-bin |
61 | # Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH |
62 | # plain_saslauthd_server: |
63 | # driver = plaintext |
64 | # public_name = PLAIN |
65 | # server_condition = ${if saslauthd{{$2}{$3}}{1}{0}} |
66 | # server_set_id = $2 |
67 | # server_prompts = : |
68 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
69 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
70 | # .endif |
71 | # |
72 | # login_saslauthd_server: |
73 | # driver = plaintext |
74 | # public_name = LOGIN |
75 | # server_prompts = "Username:: : Password::" |
76 | # # don't send system passwords over unencrypted connections |
77 | # server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}} |
78 | # server_condition = ${if saslauthd{{$1}{$2}}{1}{0}} |
79 | # server_set_id = $1 |
80 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
81 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
82 | # .endif |
83 | # |
84 | # ntlm_sasl_server: |
85 | # driver = cyrus_sasl |
86 | # public_name = NTLM |
87 | # server_realm = <short main hostname> |
88 | # server_set_id = $1 |
89 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
90 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
91 | # .endif |
92 | # |
93 | # digest_md5_sasl_server: |
94 | # driver = cyrus_sasl |
95 | # public_name = DIGEST-MD5 |
96 | # server_realm = <short main hostname> |
97 | # server_set_id = $1 |
98 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
99 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
100 | # .endif |
101 | |
102 | # Authentcate against cyrus-sasl |
103 | # This is mainly untested, please report any problems to |
104 | # pkg-exim4-users@lists.alioth.debian.org. If you have success with |
105 | # using these authenticators until May 1 2005, please report as well. |
106 | # cram_md5_sasl_server: |
107 | # driver = cyrus_sasl |
108 | # public_name = CRAM-MD5 |
109 | # server_realm = <short main hostname> |
110 | # server_set_id = $1 |
111 | # |
112 | # plain_sasl_server: |
113 | # driver = cyrus_sasl |
114 | # public_name = PLAIN |
115 | # server_realm = <short main hostname> |
116 | # server_set_id = $1 |
117 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
118 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
119 | # .endif |
120 | # |
121 | # login_sasl_server: |
122 | # driver = cyrus_sasl |
123 | # public_name = LOGIN |
124 | # server_realm = <short main hostname> |
125 | # server_set_id = $1 |
126 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
127 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
128 | # .endif |
129 | |
130 | # Authenticate against courier authdaemon |
131 | |
132 | # This has been copied from |
133 | # http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php |
134 | # (thanks to r. i. pienaar). This has been reported as "working" with |
135 | # the Debian packages by Sven Geggus. Possible pitfall: access rights |
136 | # on /var/run/courier/authdaemon/socket. |
137 | |
138 | # plain_courier_authdaemon: |
139 | # driver = plaintext |
140 | # public_name = PLAIN |
141 | # server_condition = \ |
142 | # ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\ |
143 | # {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n}}}{FAIL\n}{no}{yes}} |
144 | # server_set_id = $2 |
145 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
146 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
147 | # .endif |
148 | # |
149 | # login_courier_authdaemon: |
150 | # driver = plaintext |
151 | # public_name = LOGIN |
152 | # server_prompts = Username:: : Password:: |
153 | # server_condition = ${if eq {${readsocket{/var/run/courier/authdaemon/socket} \ |
154 | # {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n}}}{FAIL\n}{no}{yes}} |
155 | # server_set_id = $1 |
156 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
157 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
158 | # .endif |
159 | |
160 | # This one is a bad hack to support the broken version 4.xx of |
161 | # Microsoft Outlook Express which violates the RFCs by demanding |
162 | # "250-AUTH=" instead of "250-AUTH ". |
163 | # It has to be the last authenticator to work and has not been tested |
164 | # well. Use at your own risk. |
165 | # See the thread entry point from |
166 | # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html |
167 | # for the related discussion on the exim-users mailing list. |
168 | # Thanks to Fred Viles for this great work. |
169 | |
170 | # support_broken_outlook_express_4_server: |
171 | # driver = plaintext |
172 | # public_name = "\r\n250-AUTH=PLAIN LOGIN" |
173 | # server_prompts = User Name : Password |
174 | # server_condition = no |
175 | |
176 | ############## |
177 | # See /usr/share/doc/exim4-base/README.SMTP-AUTH |
178 | ############## |
179 | |
180 | # These examples below are the equivalent for client side authentication. |
181 | # They get the passwords from CONFDIR/passwd.client. This file should have |
182 | # three columns separated by colons, the first contains the name of the |
183 | # mailserver to authenticate against, the second the username and the third |
184 | # contains the password. |
185 | |
186 | ### # example for CONFDIR/passwd.client |
187 | ### mail.server:blah:secret |
188 | ### # default entry: |
189 | ### *:bar:foo |
190 | |
191 | # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we |
192 | # only allow these mechanisms over encrypted connections by default. |
193 | # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted |
194 | # clear text password authentication on all connections. |
195 | |
196 | cram_md5: |
197 | driver = cram_md5 |
198 | public_name = CRAM-MD5 |
199 | client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} |
200 | client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} |
201 | |
202 | plain: |
203 | driver = plaintext |
204 | public_name = PLAIN |
205 | .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS |
206 | client_send = "${if !eq{$tls_cipher}{}{\ |
207 | ^${extract{1}{::}\ |
208 | {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\ |
209 | ^${extract{2}{::}\ |
210 | {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\ |
211 | }fail}" |
212 | .else |
213 | client_send = "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" |
214 | .endif |
215 | |
216 | login: |
217 | driver = plaintext |
218 | public_name = LOGIN |
219 | .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS |
220 | client_send = "${if !eq{$tls_cipher}{}{}fail}\ |
221 | : ${extract{1}{::}\ |
222 | {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \ |
223 | : ${extract{2}{::}\ |
224 | {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" |
225 | .else |
226 | client_send = ": ${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" |
227 | .endif |