725c9874 |
1 | |
2 | ### auth/30_exim4-config_examples |
3 | ################################# |
4 | |
d2b0a567 |
5 | # The examples below are for server side authentication, when the |
6 | # local exim is SMTP server and clients authenticate to the local exim. |
725c9874 |
7 | |
8 | # They allow two styles of plain-text authentication against an |
d2b0a567 |
9 | # CONFDIR/passwd file whose syntax is described in exim_passwd(5). |
725c9874 |
10 | |
11 | # Hosts that are allowed to use AUTH are defined by the |
12 | # auth_advertise_hosts option in the main configuration. The default is |
13 | # "*", which allows authentication to all hosts over all kinds of |
14 | # connections if there is at least one authenticator defined here. |
15 | # Authenticators which rely on unencrypted clear text passwords don't |
d2b0a567 |
16 | # advertise on unencrypted connections by default. Thus, it might be |
17 | # wise to set up TLS to allow encrypted connections. If TLS cannot be |
18 | # used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to |
19 | # advertise unencrypted clear text password based authenticators on all |
20 | # connections. As this is severely reducing security, using TLS is |
21 | # preferred over allowing clear text password based authenticators on |
22 | # unencrypted connections. |
23 | |
24 | # PLAIN authentication has no server prompts. The client sends its |
25 | # credentials in one lump, containing an authorization ID (which we do not |
26 | # use), an authentication ID, and a password. The latter two appear as |
27 | # $auth2 and $auth3 in the configuration and should be checked against a |
28 | # valid username and password. In a real configuration you would typically |
29 | # use $auth2 as a lookup key, and compare $auth3 against the result of the |
30 | # lookup, perhaps using the crypteq{}{} condition. |
725c9874 |
31 | |
32 | # plain_server: |
33 | # driver = plaintext |
34 | # public_name = PLAIN |
d2b0a567 |
35 | # server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" |
36 | # server_set_id = $auth2 |
725c9874 |
37 | # server_prompts = : |
38 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
39 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
40 | # .endif |
d2b0a567 |
41 | |
42 | # LOGIN authentication has traditional prompts and responses. There is no |
43 | # authorization ID in this mechanism, so unlike PLAIN the username and |
44 | # password are $auth1 and $auth2. Apart from that you can use the same |
45 | # server_condition setting for both authenticators. |
46 | |
725c9874 |
47 | # login_server: |
48 | # driver = plaintext |
49 | # public_name = LOGIN |
50 | # server_prompts = "Username:: : Password::" |
d2b0a567 |
51 | # server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" |
52 | # server_set_id = $auth1 |
725c9874 |
53 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
54 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
55 | # .endif |
56 | # |
57 | # cram_md5_server: |
58 | # driver = cram_md5 |
59 | # public_name = CRAM-MD5 |
d2b0a567 |
60 | # server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}} |
61 | # server_set_id = $auth1 |
725c9874 |
62 | |
63 | # Here is an example of CRAM-MD5 authentication against PostgreSQL: |
64 | # |
65 | # psqldb_auth_server: |
66 | # driver = cram_md5 |
67 | # public_name = CRAM-MD5 |
d2b0a567 |
68 | # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} |
69 | # server_set_id = $auth1 |
725c9874 |
70 | |
71 | # Authenticate against local passwords using sasl2-bin |
d2b0a567 |
72 | # Requires exim_uid to be a member of sasl group, see README.Debian.gz |
725c9874 |
73 | # plain_saslauthd_server: |
74 | # driver = plaintext |
75 | # public_name = PLAIN |
d2b0a567 |
76 | # server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} |
77 | # server_set_id = $auth2 |
725c9874 |
78 | # server_prompts = : |
79 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
80 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
81 | # .endif |
82 | # |
83 | # login_saslauthd_server: |
84 | # driver = plaintext |
85 | # public_name = LOGIN |
86 | # server_prompts = "Username:: : Password::" |
87 | # # don't send system passwords over unencrypted connections |
d2b0a567 |
88 | # server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} |
89 | # server_set_id = $auth1 |
725c9874 |
90 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
91 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
92 | # .endif |
93 | # |
94 | # ntlm_sasl_server: |
95 | # driver = cyrus_sasl |
96 | # public_name = NTLM |
97 | # server_realm = <short main hostname> |
d2b0a567 |
98 | # server_set_id = $auth1 |
725c9874 |
99 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
100 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
101 | # .endif |
102 | # |
103 | # digest_md5_sasl_server: |
104 | # driver = cyrus_sasl |
105 | # public_name = DIGEST-MD5 |
106 | # server_realm = <short main hostname> |
d2b0a567 |
107 | # server_set_id = $auth1 |
725c9874 |
108 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
109 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
110 | # .endif |
111 | |
112 | # Authentcate against cyrus-sasl |
113 | # This is mainly untested, please report any problems to |
d2b0a567 |
114 | # pkg-exim4-users@lists.alioth.debian.org. |
725c9874 |
115 | # cram_md5_sasl_server: |
116 | # driver = cyrus_sasl |
117 | # public_name = CRAM-MD5 |
118 | # server_realm = <short main hostname> |
d2b0a567 |
119 | # server_set_id = $auth1 |
725c9874 |
120 | # |
121 | # plain_sasl_server: |
122 | # driver = cyrus_sasl |
123 | # public_name = PLAIN |
124 | # server_realm = <short main hostname> |
d2b0a567 |
125 | # server_set_id = $auth1 |
725c9874 |
126 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
127 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
128 | # .endif |
129 | # |
130 | # login_sasl_server: |
131 | # driver = cyrus_sasl |
132 | # public_name = LOGIN |
133 | # server_realm = <short main hostname> |
d2b0a567 |
134 | # server_set_id = $auth1 |
725c9874 |
135 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
136 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
137 | # .endif |
138 | |
139 | # Authenticate against courier authdaemon |
140 | |
d2b0a567 |
141 | # This is now the (working!) example from |
142 | # http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 |
143 | # Possible pitfall: access rights on /var/run/courier/authdaemon/socket. |
725c9874 |
144 | # plain_courier_authdaemon: |
145 | # driver = plaintext |
146 | # public_name = PLAIN |
147 | # server_condition = \ |
d2b0a567 |
148 | # ${extract {ADDRESS} \ |
149 | # {${readsocket{/var/run/courier/authdaemon/socket} \ |
150 | # {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \ |
151 | # {yes} \ |
152 | # fail} |
153 | # server_set_id = $auth2 |
725c9874 |
154 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
155 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
156 | # .endif |
d2b0a567 |
157 | |
725c9874 |
158 | # login_courier_authdaemon: |
159 | # driver = plaintext |
160 | # public_name = LOGIN |
161 | # server_prompts = Username:: : Password:: |
d2b0a567 |
162 | # server_condition = \ |
163 | # ${extract {ADDRESS} \ |
164 | # {${readsocket{/var/run/courier/authdaemon/socket} \ |
165 | # {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \ |
166 | # {yes} \ |
167 | # fail} |
168 | # server_set_id = $auth1 |
725c9874 |
169 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
170 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
171 | # .endif |
172 | |
173 | # This one is a bad hack to support the broken version 4.xx of |
174 | # Microsoft Outlook Express which violates the RFCs by demanding |
175 | # "250-AUTH=" instead of "250-AUTH ". |
d2b0a567 |
176 | # If your list of offered authenticators is other than PLAIN and LOGIN, |
177 | # you need to adapt the public_name line manually. |
725c9874 |
178 | # It has to be the last authenticator to work and has not been tested |
179 | # well. Use at your own risk. |
180 | # See the thread entry point from |
181 | # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html |
182 | # for the related discussion on the exim-users mailing list. |
183 | # Thanks to Fred Viles for this great work. |
184 | |
185 | # support_broken_outlook_express_4_server: |
186 | # driver = plaintext |
187 | # public_name = "\r\n250-AUTH=PLAIN LOGIN" |
188 | # server_prompts = User Name : Password |
189 | # server_condition = no |
d2b0a567 |
190 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
191 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
192 | # .endif |
725c9874 |
193 | |
194 | ############## |
d2b0a567 |
195 | # See /usr/share/doc/exim4-base/README.Debian.gz |
725c9874 |
196 | ############## |
197 | |
198 | # These examples below are the equivalent for client side authentication. |
d2b0a567 |
199 | # They get the passwords from CONFDIR/passwd.client, whose format is |
200 | # defined in exim4_passwd_client(5) |
725c9874 |
201 | |
202 | # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we |
203 | # only allow these mechanisms over encrypted connections by default. |
204 | # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted |
205 | # clear text password authentication on all connections. |
206 | |
207 | cram_md5: |
208 | driver = cram_md5 |
209 | public_name = CRAM-MD5 |
d2b0a567 |
210 | client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} |
211 | client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} |
725c9874 |
212 | |
8ebdbbac |
213 | # hcoop-change: Authenticate against either /etc/courier/exim.dat or |
214 | # SASL for plain and login authenticators |
e5d180e5 |
215 | |
8ebdbbac |
216 | hcoop_plain: |
725c9874 |
217 | driver = plaintext |
218 | public_name = PLAIN |
06b25c81 |
219 | server_condition = \ |
8ebdbbac |
220 | ${if or {{crypteq {$3} \ |
221 | {${extract{systempw}{${tr{${lookup{$2} \ |
9ce616e3 |
222 | dbm{/etc/courier/exim.dat} \ |
8ebdbbac |
223 | }}{|}{ }}}}}} \ |
224 | {saslauthd {{$2}{$3}}}}} |
06b25c81 |
225 | server_set_id = $2 |
226 | |
8ebdbbac |
227 | hcoop_login: |
e5d180e5 |
228 | driver = plaintext |
229 | public_name = LOGIN |
230 | server_prompts = "Username:: : Password::" |
231 | server_condition = \ |
8ebdbbac |
232 | ${if or {{crypteq {$2} \ |
233 | {${extract{systempw}{${tr{${lookup{$1} \ |
9ce616e3 |
234 | dbm{/etc/courier/exim.dat} \ |
8ebdbbac |
235 | }}{|}{ }}}}}} \ |
236 | {saslauthd {{$1}{$2}}}}} |
e5d180e5 |
237 | server_set_id = $1 |
238 | |
20e34826 |
239 | # this returns the matching line from passwd.client and doubles all ^ |
240 | PASSWDLINE=${sg{\ |
241 | ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ |
242 | }\ |
243 | {\\N[\\^]\\N}\ |
244 | {^^}\ |
245 | } |
246 | |
e5d180e5 |
247 | # hcoop-change: Comment out plain and login authenticators |
248 | |
06b25c81 |
249 | # plain: |
250 | # driver = plaintext |
251 | # public_name = PLAIN |
252 | # .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS |
20e34826 |
253 | # client_send = "<; ${if !eq{$tls_cipher}{}\ |
254 | # {^${extract{1}{:}{PASSWDLINE}}\ |
255 | # ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ |
06b25c81 |
256 | # }fail}" |
257 | # .else |
20e34826 |
258 | # client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\ |
259 | # ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" |
06b25c81 |
260 | # .endif |
725c9874 |
261 | |
e5d180e5 |
262 | # login: |
263 | # driver = plaintext |
264 | # public_name = LOGIN |
265 | # .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS |
266 | # # Return empty string if not non-TLS AND looking up $host in passwd-file |
267 | # # yields a non-empty string; fail otherwise. |
268 | # client_send = "<; ${if and{\ |
269 | # {!eq{$tls_cipher}{}}\ |
270 | # {!eq{PASSWDLINE}{}}\ |
271 | # }\ |
272 | # {}fail}\ |
273 | # ; ${extract{1}{::}{PASSWDLINE}}\ |
274 | # ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" |
275 | # .else |
276 | # # Return empty string if looking up $host in passwd-file yields a |
277 | # # non-empty string; fail otherwise. |
278 | # client_send = "<; ${if !eq{PASSWDLINE}{}\ |
279 | # {}fail}\ |
280 | # ; ${extract{1}{::}{PASSWDLINE}}\ |
281 | # ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" |
282 | # .endif |