[hcoop/zz_old/config/exim4-hopper.git] / conf.d / auth / 30_exim4-config_examples


### auth/30_exim4-config_examples
#################################

# The examples below are for server side authentication

# They allow two styles of plain-text authentication against an
# CONFDIR/passwd file which should have user names in the first column
# and crypted passwords in the second. The columns need to be separated
# by ':'. Please note that apache's htpasswd program generates a file
# in the correct format, but uses a different crypt scheme. So,
# htpassword will _NOT_ work for exim4.

# For CRAM-MD5 exim needs access to the UNENCRYPTED passwd - the example
# below assumes it is available in the third column of CONFDIR/passwd

# Hosts that are allowed to use AUTH are defined by the
# auth_advertise_hosts option in the main configuration. The default is
# "*", which allows authentication to all hosts over all kinds of
# connections if there is at least one authenticator defined here.
# Authenticators which rely on unencrypted clear text passwords don't
# advertise on unencrypted connections by default. You can set
# AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to advertise unencrypted clear text
# password based authenticators on all connections.

# plain_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
#   server_set_id = $2
#   server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
#
# login_server:
#   driver = plaintext
#   public_name = LOGIN
#   server_prompts = "Username:: : Password::"
#   server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
#   server_set_id = $1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
#
# cram_md5_server:
#   driver = cram_md5
#   public_name = CRAM-MD5
#   server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}}
#   server_set_id = $1

# Here is an example of CRAM-MD5 authentication against PostgreSQL:
#
# psqldb_auth_server:
#   driver = cram_md5
#   public_name = CRAM-MD5
#   server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$1}'}{$value}fail}
#   server_set_id = $1

# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH
# plain_saslauthd_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
#   server_set_id = $2
#   server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
#
# login_saslauthd_server:
#   driver = plaintext
#   public_name = LOGIN
#   server_prompts = "Username:: : Password::"
#   # don't send system passwords over unencrypted connections
#   server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
#   server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
#   server_set_id = $1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
#
# ntlm_sasl_server:
#   driver = cyrus_sasl
#   public_name = NTLM
#   server_realm = <short main hostname>
#   server_set_id = $1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
# 
# digest_md5_sasl_server:
#   driver = cyrus_sasl
#   public_name = DIGEST-MD5
#   server_realm = <short main hostname>
#   server_set_id = $1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

# Authentcate against cyrus-sasl
# This is mainly untested, please report any problems to
# pkg-exim4-users@lists.alioth.debian.org. If you have success with
# using these authenticators until May 1 2005, please report as well.
# cram_md5_sasl_server:
#   driver = cyrus_sasl
#   public_name = CRAM-MD5
#   server_realm = <short main hostname>
#   server_set_id = $1
#
# plain_sasl_server:
#   driver = cyrus_sasl
#   public_name = PLAIN
#   server_realm = <short main hostname>
#   server_set_id = $1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
#
# login_sasl_server:
#   driver = cyrus_sasl
#   public_name = LOGIN
#   server_realm = <short main hostname>
#   server_set_id = $1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

# Authenticate against courier authdaemon

# This has been copied from
# http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php
# (thanks to r. i. pienaar). This has been reported as "working" with
# the Debian packages by Sven Geggus. Possible pitfall: access rights
# on /var/run/courier/authdaemon/socket.

# plain_courier_authdaemon:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = \
#                ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
#                {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n}}}{FAIL\n}{no}{yes}}
#   server_set_id = $2
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
#
# login_courier_authdaemon:
#   driver = plaintext
#   public_name = LOGIN
#   server_prompts = Username:: : Password::
#   server_condition = ${if eq {${readsocket{/var/run/courier/authdaemon/socket} \
#                 {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n}}}{FAIL\n}{no}{yes}}
#   server_set_id = $1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

# This one is a bad hack to support the broken version 4.xx of
# Microsoft Outlook Express which violates the RFCs by demanding
# "250-AUTH=" instead of "250-AUTH ".
# It has to be the last authenticator to work and has not been tested
# well. Use at your own risk.
# See the thread entry point from
# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
# for the related discussion on the exim-users mailing list.
# Thanks to Fred Viles for this great work.

# support_broken_outlook_express_4_server:
#   driver = plaintext
#   public_name = "\r\n250-AUTH=PLAIN LOGIN"
#   server_prompts = User Name : Password
#   server_condition = no

##############
# See /usr/share/doc/exim4-base/README.SMTP-AUTH
##############

# These examples below are the equivalent for client side authentication.
# They get the passwords from CONFDIR/passwd.client. This file should have
# three columns separated by colons, the first contains the name of the
# mailserver to authenticate against, the second the username and the third
# contains the password.

### # example for CONFDIR/passwd.client
### mail.server:blah:secret
### # default entry:
### *:bar:foo

# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
# only allow these mechanisms over encrypted connections by default.
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
# clear text password authentication on all connections.

cram_md5:
  driver = cram_md5
  public_name = CRAM-MD5
  client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
  client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}

plain:
  driver = plaintext
  public_name = PLAIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
  client_send = "${if !eq{$tls_cipher}{}{\
                     ^${extract{1}{::}\
		       {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
		     ^${extract{2}{::}\
		       {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
		   }fail}"
.else
  client_send = "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
.endif

login:
  driver = plaintext
  public_name = LOGIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
  client_send = "${if !eq{$tls_cipher}{}{}fail}\
                 : ${extract{1}{::}\
		        {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \
		 : ${extract{2}{::}\
		     {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
.else
  client_send = ": ${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
.endif
Commit	Line	Data
725c9874	1
	2	### auth/30_exim4-config_examples
	3	#################################
	4
	5	# The examples below are for server side authentication
	6
	7	# They allow two styles of plain-text authentication against an
	8	# CONFDIR/passwd file which should have user names in the first column
	9	# and crypted passwords in the second. The columns need to be separated
	10	# by ':'. Please note that apache's htpasswd program generates a file
	11	# in the correct format, but uses a different crypt scheme. So,
	12	# htpassword will _NOT_ work for exim4.
	13
	14	# For CRAM-MD5 exim needs access to the UNENCRYPTED passwd - the example
	15	# below assumes it is available in the third column of CONFDIR/passwd
	16
	17	# Hosts that are allowed to use AUTH are defined by the
	18	# auth_advertise_hosts option in the main configuration. The default is
	19	# "*", which allows authentication to all hosts over all kinds of
	20	# connections if there is at least one authenticator defined here.
	21	# Authenticators which rely on unencrypted clear text passwords don't
	22	# advertise on unencrypted connections by default. You can set
	23	# AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to advertise unencrypted clear text
	24	# password based authenticators on all connections.
	25
	26	# plain_server:
	27	# driver = plaintext
	28	# public_name = PLAIN
	29	# server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passwd}{$value}{:}}}}}{1}{0}}"
	30	# server_set_id = $2
	31	# server_prompts = :
	32	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	33	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	34	# .endif
	35	#
	36	# login_server:
	37	# driver = plaintext
	38	# public_name = LOGIN
	39	# server_prompts = "Username:: : Password::"
	40	# server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}{:}}}}}{1}{0}}"
	41	# server_set_id = $1
	42	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	43	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	44	# .endif
	45	#
	46	# cram_md5_server:
	47	# driver = cram_md5
	48	# public_name = CRAM-MD5
	49	# server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}}
	50	# server_set_id = $1
	51
	52	# Here is an example of CRAM-MD5 authentication against PostgreSQL:
	53	#
	54	# psqldb_auth_server:
	55	# driver = cram_md5
	56	# public_name = CRAM-MD5
	57	# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$1}'}{$value}fail}
	58	# server_set_id = $1
	59
	60	# Authenticate against local passwords using sasl2-bin
	61	# Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH
	62	# plain_saslauthd_server:
	63	# driver = plaintext
	64	# public_name = PLAIN
65	# server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
66	# server_set_id = $2
67	# server_prompts = :
68	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
69	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
70	# .endif
71	#
72	# login_saslauthd_server:
73	# driver = plaintext
74	# public_name = LOGIN
75	# server_prompts = "Username:: : Password::"
76	# # don't send system passwords over unencrypted connections
77	# server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
78	# server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
79	# server_set_id = $1
80	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
81	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
82	# .endif
83	#
84	# ntlm_sasl_server:
85	# driver = cyrus_sasl
86	# public_name = NTLM
87	# server_realm = <short main hostname>
88	# server_set_id = $1
89	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
90	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
91	# .endif
92	#
93	# digest_md5_sasl_server:
94	# driver = cyrus_sasl
95	# public_name = DIGEST-MD5
96	# server_realm = <short main hostname>
97	# server_set_id = $1
98	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
99	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
100	# .endif
101
102	# Authentcate against cyrus-sasl
103	# This is mainly untested, please report any problems to
104	# pkg-exim4-users@lists.alioth.debian.org. If you have success with
105	# using these authenticators until May 1 2005, please report as well.
106	# cram_md5_sasl_server:
107	# driver = cyrus_sasl
108	# public_name = CRAM-MD5
109	# server_realm = <short main hostname>
110	# server_set_id = $1
111	#
112	# plain_sasl_server:
113	# driver = cyrus_sasl
114	# public_name = PLAIN
115	# server_realm = <short main hostname>
116	# server_set_id = $1
117	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
118	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
119	# .endif
120	#
121	# login_sasl_server:
122	# driver = cyrus_sasl
123	# public_name = LOGIN
124	# server_realm = <short main hostname>
125	# server_set_id = $1
126	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
127	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
128	# .endif
129
130	# Authenticate against courier authdaemon
131
132	# This has been copied from
133	# http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php
134	# (thanks to r. i. pienaar). This has been reported as "working" with
135	# the Debian packages by Sven Geggus. Possible pitfall: access rights
136	# on /var/run/courier/authdaemon/socket.
137
138	# plain_courier_authdaemon:
139	# driver = plaintext
140	# public_name = PLAIN
141	# server_condition = \
142	# ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
143	# {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n}}}{FAIL\n}{no}{yes}}
144	# server_set_id = $2
145	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
146	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
147	# .endif
148	#
149	# login_courier_authdaemon:
150	# driver = plaintext
151	# public_name = LOGIN
152	# server_prompts = Username:: : Password::
153	# server_condition = ${if eq {${readsocket{/var/run/courier/authdaemon/socket} \
154	# {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n}}}{FAIL\n}{no}{yes}}
155	# server_set_id = $1
156	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
157	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
158	# .endif
159
160	# This one is a bad hack to support the broken version 4.xx of
161	# Microsoft Outlook Express which violates the RFCs by demanding
162	# "250-AUTH=" instead of "250-AUTH ".
163	# It has to be the last authenticator to work and has not been tested
164	# well. Use at your own risk.
165	# See the thread entry point from
166	# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
167	# for the related discussion on the exim-users mailing list.
168	# Thanks to Fred Viles for this great work.
169
170	# support_broken_outlook_express_4_server:
171	# driver = plaintext
172	# public_name = "\r\n250-AUTH=PLAIN LOGIN"
173	# server_prompts = User Name : Password
174	# server_condition = no
175
176	##############
177	# See /usr/share/doc/exim4-base/README.SMTP-AUTH
178	##############
179
180	# These examples below are the equivalent for client side authentication.
181	# They get the passwords from CONFDIR/passwd.client. This file should have
182	# three columns separated by colons, the first contains the name of the
183	# mailserver to authenticate against, the second the username and the third
184	# contains the password.
185
186	### # example for CONFDIR/passwd.client
187	### mail.server:blah:secret
188	### # default entry:
189	### *:bar:foo
190
191	# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
192	# only allow these mechanisms over encrypted connections by default.
193	# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
194	# clear text password authentication on all connections.
195
196	cram_md5:
197	driver = cram_md5
198	public_name = CRAM-MD5
199	client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
200	client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
201
202	plain:
203	driver = plaintext
204	public_name = PLAIN
205	.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
206	client_send = "${if !eq{$tls_cipher}{}{\
207	^${extract{1}{::}\
208	{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
209	^${extract{2}{::}\
210	{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
211	}fail}"
212	.else
213	client_send = "^${extract{1}{::}{${lookup{$host}lsearch{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch{CONFDIR/passwd.client}{$value}fail}}}"
214	.endif
215
216	login:
217	driver = plaintext
218	public_name = LOGIN
219	.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
220	client_send = "${if !eq{$tls_cipher}{}{}fail}\
221	: ${extract{1}{::}\
222	{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \
223	: ${extract{2}{::}\
224	{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
225	.else
226	client_send = ": ${extract{1}{::}{${lookup{$host}lsearch{CONFDIR/passwd.client}{$value}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch{CONFDIR/passwd.client}{$value}fail}}}"
227	.endif