[hcoop/zz_old/config/exim4-hopper.git] / conf.d / auth / 30_exim4-config_examples


### auth/30_exim4-config_examples
#################################

# The examples below are for server side authentication, when the
# local exim is SMTP server and clients authenticate to the local exim.

# They allow two styles of plain-text authentication against an
# CONFDIR/passwd file whose syntax is described in exim_passwd(5).

# Hosts that are allowed to use AUTH are defined by the
# auth_advertise_hosts option in the main configuration. The default is
# "*", which allows authentication to all hosts over all kinds of
# connections if there is at least one authenticator defined here.
# Authenticators which rely on unencrypted clear text passwords don't
# advertise on unencrypted connections by default. Thus, it might be
# wise to set up TLS to allow encrypted connections. If TLS cannot be
# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
# advertise unencrypted clear text password based authenticators on all
# connections. As this is severely reducing security, using TLS is
# preferred over allowing clear text password based authenticators on
# unencrypted connections.

# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
# use), an authentication ID, and a password. The latter two appear as
# $auth2 and $auth3 in the configuration and should be checked against a
# valid username and password. In a real configuration you would typically
# use $auth2 as a lookup key, and compare $auth3 against the result of the
# lookup, perhaps using the crypteq{}{} condition.

# plain_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
#   server_set_id = $auth2
#   server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.

# login_server:
#   driver = plaintext
#   public_name = LOGIN
#   server_prompts = "Username:: : Password::"
#   server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
#   server_set_id = $auth1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
#
# cram_md5_server:
#   driver = cram_md5
#   public_name = CRAM-MD5
#   server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
#   server_set_id = $auth1

# Here is an example of CRAM-MD5 authentication against PostgreSQL:
#
# psqldb_auth_server:
#   driver = cram_md5
#   public_name = CRAM-MD5
#   server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
#   server_set_id = $auth1

# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.Debian.gz
# plain_saslauthd_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
#   server_set_id = $auth2
#   server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
#
# login_saslauthd_server:
#   driver = plaintext
#   public_name = LOGIN
#   server_prompts = "Username:: : Password::"
#   # don't send system passwords over unencrypted connections
#   server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
#   server_set_id = $auth1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
#
# ntlm_sasl_server:
#   driver = cyrus_sasl
#   public_name = NTLM
#   server_realm = <short main hostname>
#   server_set_id = $auth1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
# 
# digest_md5_sasl_server:
#   driver = cyrus_sasl
#   public_name = DIGEST-MD5
#   server_realm = <short main hostname>
#   server_set_id = $auth1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

# Authentcate against cyrus-sasl
# This is mainly untested, please report any problems to
# pkg-exim4-users@lists.alioth.debian.org.
# cram_md5_sasl_server:
#   driver = cyrus_sasl
#   public_name = CRAM-MD5
#   server_realm = <short main hostname>
#   server_set_id = $auth1
#
# plain_sasl_server:
#   driver = cyrus_sasl
#   public_name = PLAIN
#   server_realm = <short main hostname>
#   server_set_id = $auth1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
#
# login_sasl_server:
#   driver = cyrus_sasl
#   public_name = LOGIN
#   server_realm = <short main hostname>
#   server_set_id = $auth1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

# Authenticate against courier authdaemon

# This is now the (working!) example from
# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
# Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
# plain_courier_authdaemon:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = \
#     ${extract {ADDRESS} \
#               {${readsocket{/var/run/courier/authdaemon/socket} \
#               {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
#               {yes} \
#               fail}
#   server_set_id = $auth2
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

# login_courier_authdaemon:
#   driver = plaintext
#   public_name = LOGIN
#   server_prompts = Username:: : Password::
#   server_condition = \
#     ${extract {ADDRESS} \
#               {${readsocket{/var/run/courier/authdaemon/socket} \
#               {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
#               {yes} \
#               fail}
#   server_set_id = $auth1
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

# This one is a bad hack to support the broken version 4.xx of
# Microsoft Outlook Express which violates the RFCs by demanding
# "250-AUTH=" instead of "250-AUTH ".
# If your list of offered authenticators is other than PLAIN and LOGIN,
# you need to adapt the public_name line manually.
# It has to be the last authenticator to work and has not been tested
# well. Use at your own risk.
# See the thread entry point from
# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
# for the related discussion on the exim-users mailing list.
# Thanks to Fred Viles for this great work.

# support_broken_outlook_express_4_server:
#   driver = plaintext
#   public_name = "\r\n250-AUTH=PLAIN LOGIN"
#   server_prompts = User Name : Password
#   server_condition = no
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

##############
# See /usr/share/doc/exim4-base/README.Debian.gz
##############

# These examples below are the equivalent for client side authentication.
# They get the passwords from CONFDIR/passwd.client, whose format is
# defined in exim4_passwd_client(5)

# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
# only allow these mechanisms over encrypted connections by default.
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
# clear text password authentication on all connections.

cram_md5:
  driver = cram_md5
  public_name = CRAM-MD5
  client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
  client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}

# hcoop-change: Authenticate against either /etc/courier/exim.dat or
# SASL for plain and login authenticators

hcoop_plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = \
    ${if or {{crypteq {$3} \
                      {${extract{systempw}{${tr{${lookup{$2} \
                                 dbm{/etc/courier/exim.dat} \
                           }}{|}{ }}}}}} \
             {saslauthd {{$2}{$3}}}}}
  server_set_id = $2

hcoop_login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = \
    ${if or {{crypteq {$2} \
                      {${extract{systempw}{${tr{${lookup{$1} \
                                 dbm{/etc/courier/exim.dat} \
                           }}{|}{ }}}}}} \
             {saslauthd {{$1}{$2}}}}}
  server_set_id = $1

# this returns the matching line from passwd.client and doubles all ^
PASSWDLINE=${sg{\
                ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
	        }\
	        {\\N[\\^]\\N}\
	        {^^}\
	    }

# hcoop-change: Comment out plain and login authenticators

# plain:
#   driver = plaintext
#   public_name = PLAIN
# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
#   client_send = "<; ${if !eq{$tls_cipher}{}\
#                     {^${extract{1}{:}{PASSWDLINE}}\
# 		     ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
# 		   }fail}"
# .else
#   client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
# 		    ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
# .endif

# login:
#   driver = plaintext
#   public_name = LOGIN
# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
#   # Return empty string if not non-TLS AND looking up $host in passwd-file
#   # yields a non-empty string; fail otherwise.
#   client_send = "<; ${if and{\
#                           {!eq{$tls_cipher}{}}\
#                           {!eq{PASSWDLINE}{}}\
#                          }\
#                       {}fail}\
#                  ; ${extract{1}{::}{PASSWDLINE}}\
# 		 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
# .else
#   # Return empty string if looking up $host in passwd-file yields a
#   # non-empty string; fail otherwise.
#   client_send = "<; ${if !eq{PASSWDLINE}{}\
#                       {}fail}\
#                  ; ${extract{1}{::}{PASSWDLINE}}\
# 		 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
# .endif
Commit	Line	Data
725c9874	1
	2	### auth/30_exim4-config_examples
	3	#################################
	4
d2b0a567	5	# The examples below are for server side authentication, when the
d2b0a567	6	# local exim is SMTP server and clients authenticate to the local exim.
725c9874	7
725c9874	8	# They allow two styles of plain-text authentication against an
d2b0a567	9	# CONFDIR/passwd file whose syntax is described in exim_passwd(5).
725c9874	10
	11	# Hosts that are allowed to use AUTH are defined by the
	12	# auth_advertise_hosts option in the main configuration. The default is
	13	# "*", which allows authentication to all hosts over all kinds of
	14	# connections if there is at least one authenticator defined here.
	15	# Authenticators which rely on unencrypted clear text passwords don't
d2b0a567	16	# advertise on unencrypted connections by default. Thus, it might be
	17	# wise to set up TLS to allow encrypted connections. If TLS cannot be
	18	# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
	19	# advertise unencrypted clear text password based authenticators on all
	20	# connections. As this is severely reducing security, using TLS is
	21	# preferred over allowing clear text password based authenticators on
	22	# unencrypted connections.
	23
	24	# PLAIN authentication has no server prompts. The client sends its
	25	# credentials in one lump, containing an authorization ID (which we do not
	26	# use), an authentication ID, and a password. The latter two appear as
	27	# $auth2 and $auth3 in the configuration and should be checked against a
	28	# valid username and password. In a real configuration you would typically
	29	# use $auth2 as a lookup key, and compare $auth3 against the result of the
	30	# lookup, perhaps using the crypteq{}{} condition.
725c9874	31
	32	# plain_server:
	33	# driver = plaintext
	34	# public_name = PLAIN
d2b0a567	35	# server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{:}}}}}{1}{0}}"
d2b0a567	36	# server_set_id = $auth2
725c9874	37	# server_prompts = :
	38	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	39	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	40	# .endif
d2b0a567	41
	42	# LOGIN authentication has traditional prompts and responses. There is no
	43	# authorization ID in this mechanism, so unlike PLAIN the username and
	44	# password are $auth1 and $auth2. Apart from that you can use the same
	45	# server_condition setting for both authenticators.
	46
725c9874	47	# login_server:
	48	# driver = plaintext
	49	# public_name = LOGIN
	50	# server_prompts = "Username:: : Password::"
d2b0a567	51	# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{:}}}}}{1}{0}}"
d2b0a567	52	# server_set_id = $auth1
725c9874	53	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	54	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	55	# .endif
	56	#
	57	# cram_md5_server:
	58	# driver = cram_md5
	59	# public_name = CRAM-MD5
d2b0a567	60	# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
d2b0a567	61	# server_set_id = $auth1
725c9874	62
	63	# Here is an example of CRAM-MD5 authentication against PostgreSQL:
	64	#
	65	# psqldb_auth_server:
	66	# driver = cram_md5
	67	# public_name = CRAM-MD5
d2b0a567	68	# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
d2b0a567	69	# server_set_id = $auth1
725c9874	70
725c9874	71	# Authenticate against local passwords using sasl2-bin
d2b0a567	72	# Requires exim_uid to be a member of sasl group, see README.Debian.gz
725c9874	73	# plain_saslauthd_server:
	74	# driver = plaintext
	75	# public_name = PLAIN
d2b0a567	76	# server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
d2b0a567	77	# server_set_id = $auth2
725c9874	78	# server_prompts = :
	79	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	80	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	81	# .endif
	82	#
	83	# login_saslauthd_server:
	84	# driver = plaintext
	85	# public_name = LOGIN
	86	# server_prompts = "Username:: : Password::"
	87	# # don't send system passwords over unencrypted connections
d2b0a567	88	# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
d2b0a567	89	# server_set_id = $auth1
725c9874	90	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	91	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	92	# .endif
	93	#
	94	# ntlm_sasl_server:
	95	# driver = cyrus_sasl
	96	# public_name = NTLM
	97	# server_realm = <short main hostname>
d2b0a567	98	# server_set_id = $auth1
725c9874	99	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	100	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	101	# .endif
	102	#
	103	# digest_md5_sasl_server:
	104	# driver = cyrus_sasl
	105	# public_name = DIGEST-MD5
	106	# server_realm = <short main hostname>
d2b0a567	107	# server_set_id = $auth1
725c9874	108	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	109	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	110	# .endif
	111
	112	# Authentcate against cyrus-sasl
	113	# This is mainly untested, please report any problems to
d2b0a567	114	# pkg-exim4-users@lists.alioth.debian.org.
725c9874	115	# cram_md5_sasl_server:
	116	# driver = cyrus_sasl
	117	# public_name = CRAM-MD5
	118	# server_realm = <short main hostname>
d2b0a567	119	# server_set_id = $auth1
725c9874	120	#
	121	# plain_sasl_server:
	122	# driver = cyrus_sasl
	123	# public_name = PLAIN
	124	# server_realm = <short main hostname>
d2b0a567	125	# server_set_id = $auth1
725c9874	126	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	127	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	128	# .endif
	129	#
	130	# login_sasl_server:
	131	# driver = cyrus_sasl
	132	# public_name = LOGIN
	133	# server_realm = <short main hostname>
d2b0a567	134	# server_set_id = $auth1
725c9874	135	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	136	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	137	# .endif
	138
	139	# Authenticate against courier authdaemon
	140
d2b0a567	141	# This is now the (working!) example from
	142	# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
	143	# Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
725c9874	144	# plain_courier_authdaemon:
	145	# driver = plaintext
	146	# public_name = PLAIN
	147	# server_condition = \
d2b0a567	148	# ${extract {ADDRESS} \
	149	# {${readsocket{/var/run/courier/authdaemon/socket} \
	150	# {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
	151	# {yes} \
	152	# fail}
	153	# server_set_id = $auth2
725c9874	154	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	155	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	156	# .endif
d2b0a567	157
725c9874	158	# login_courier_authdaemon:
	159	# driver = plaintext
	160	# public_name = LOGIN
	161	# server_prompts = Username:: : Password::
d2b0a567	162	# server_condition = \
	163	# ${extract {ADDRESS} \
	164	# {${readsocket{/var/run/courier/authdaemon/socket} \
	165	# {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
	166	# {yes} \
	167	# fail}
	168	# server_set_id = $auth1
725c9874	169	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	170	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	171	# .endif
	172
	173	# This one is a bad hack to support the broken version 4.xx of
	174	# Microsoft Outlook Express which violates the RFCs by demanding
	175	# "250-AUTH=" instead of "250-AUTH ".
d2b0a567	176	# If your list of offered authenticators is other than PLAIN and LOGIN,
d2b0a567	177	# you need to adapt the public_name line manually.
725c9874	178	# It has to be the last authenticator to work and has not been tested
	179	# well. Use at your own risk.
	180	# See the thread entry point from
	181	# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
	182	# for the related discussion on the exim-users mailing list.
	183	# Thanks to Fred Viles for this great work.
	184
	185	# support_broken_outlook_express_4_server:
	186	# driver = plaintext
	187	# public_name = "\r\n250-AUTH=PLAIN LOGIN"
	188	# server_prompts = User Name : Password
	189	# server_condition = no
d2b0a567	190	# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
	191	# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
	192	# .endif
725c9874	193
725c9874	194	##############
d2b0a567	195	# See /usr/share/doc/exim4-base/README.Debian.gz
725c9874	196	##############
	197
	198	# These examples below are the equivalent for client side authentication.
d2b0a567	199	# They get the passwords from CONFDIR/passwd.client, whose format is
d2b0a567	200	# defined in exim4_passwd_client(5)
725c9874	201
	202	# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
	203	# only allow these mechanisms over encrypted connections by default.
	204	# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
	205	# clear text password authentication on all connections.
	206
	207	cram_md5:
	208	driver = cram_md5
	209	public_name = CRAM-MD5
d2b0a567	210	client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
d2b0a567	211	client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
725c9874	212
8ebdbbac	213	# hcoop-change: Authenticate against either /etc/courier/exim.dat or
8ebdbbac	214	# SASL for plain and login authenticators
e5d180e5	215
8ebdbbac	216	hcoop_plain:
725c9874	217	driver = plaintext
725c9874	218	public_name = PLAIN
06b25c81	219	server_condition = \
8ebdbbac	220	${if or {{crypteq {$3} \
8ebdbbac	221	{${extract{systempw}{${tr{${lookup{$2} \
9ce616e3	222	dbm{/etc/courier/exim.dat} \
8ebdbbac	223	}}{\|}{ }}}}}} \
8ebdbbac	224	{saslauthd {{$2}{$3}}}}}
06b25c81	225	server_set_id = $2
06b25c81	226
8ebdbbac	227	hcoop_login:
e5d180e5	228	driver = plaintext
	229	public_name = LOGIN
	230	server_prompts = "Username:: : Password::"
	231	server_condition = \
8ebdbbac	232	${if or {{crypteq {$2} \
8ebdbbac	233	{${extract{systempw}{${tr{${lookup{$1} \
9ce616e3	234	dbm{/etc/courier/exim.dat} \
8ebdbbac	235	}}{\|}{ }}}}}} \
8ebdbbac	236	{saslauthd {{$1}{$2}}}}}
e5d180e5	237	server_set_id = $1
e5d180e5	238
20e34826	239	# this returns the matching line from passwd.client and doubles all ^
	240	PASSWDLINE=${sg{\
	241	${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
	242	}\
	243	{\\N[\\^]\\N}\
	244	{^^}\
	245	}
	246
e5d180e5	247	# hcoop-change: Comment out plain and login authenticators
e5d180e5	248
06b25c81	249	# plain:
	250	# driver = plaintext
	251	# public_name = PLAIN
	252	# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
20e34826	253	# client_send = "<; ${if !eq{$tls_cipher}{}\
	254	# {^${extract{1}{:}{PASSWDLINE}}\
	255	# ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
06b25c81	256	# }fail}"
06b25c81	257	# .else
20e34826	258	# client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
20e34826	259	# ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
06b25c81	260	# .endif
725c9874	261
e5d180e5	262	# login:
	263	# driver = plaintext
	264	# public_name = LOGIN
	265	# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
	266	# # Return empty string if not non-TLS AND looking up $host in passwd-file
	267	# # yields a non-empty string; fail otherwise.
	268	# client_send = "<; ${if and{\
	269	# {!eq{$tls_cipher}{}}\
	270	# {!eq{PASSWDLINE}{}}\
	271	# }\
	272	# {}fail}\
	273	# ; ${extract{1}{::}{PASSWDLINE}}\
	274	# ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
	275	# .else
	276	# # Return empty string if looking up $host in passwd-file yields a
	277	# # non-empty string; fail otherwise.
	278	# client_send = "<; ${if !eq{PASSWDLINE}{}\
	279	# {}fail}\
	280	# ; ${extract{1}{::}{PASSWDLINE}}\
	281	# ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
	282	# .endif