Commit | Line | Data |
---|---|---|
725c9874 | 1 | |
2 | ### auth/30_exim4-config_examples | |
3 | ################################# | |
4 | ||
d2b0a567 | 5 | # The examples below are for server side authentication, when the |
6 | # local exim is SMTP server and clients authenticate to the local exim. | |
725c9874 | 7 | |
8 | # They allow two styles of plain-text authentication against an | |
d38e06ff | 9 | # CONFDIR/passwd file whose syntax is described in exim4_passwd(5). |
725c9874 | 10 | |
11 | # Hosts that are allowed to use AUTH are defined by the | |
12 | # auth_advertise_hosts option in the main configuration. The default is | |
13 | # "*", which allows authentication to all hosts over all kinds of | |
14 | # connections if there is at least one authenticator defined here. | |
15 | # Authenticators which rely on unencrypted clear text passwords don't | |
d2b0a567 | 16 | # advertise on unencrypted connections by default. Thus, it might be |
17 | # wise to set up TLS to allow encrypted connections. If TLS cannot be | |
18 | # used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to | |
19 | # advertise unencrypted clear text password based authenticators on all | |
20 | # connections. As this is severely reducing security, using TLS is | |
21 | # preferred over allowing clear text password based authenticators on | |
22 | # unencrypted connections. | |
23 | ||
24 | # PLAIN authentication has no server prompts. The client sends its | |
25 | # credentials in one lump, containing an authorization ID (which we do not | |
26 | # use), an authentication ID, and a password. The latter two appear as | |
27 | # $auth2 and $auth3 in the configuration and should be checked against a | |
28 | # valid username and password. In a real configuration you would typically | |
29 | # use $auth2 as a lookup key, and compare $auth3 against the result of the | |
30 | # lookup, perhaps using the crypteq{}{} condition. | |
725c9874 | 31 | |
32 | # plain_server: | |
33 | # driver = plaintext | |
34 | # public_name = PLAIN | |
d2b0a567 | 35 | # server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" |
36 | # server_set_id = $auth2 | |
725c9874 | 37 | # server_prompts = : |
38 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS | |
39 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
40 | # .endif | |
d2b0a567 | 41 | |
42 | # LOGIN authentication has traditional prompts and responses. There is no | |
43 | # authorization ID in this mechanism, so unlike PLAIN the username and | |
44 | # password are $auth1 and $auth2. Apart from that you can use the same | |
45 | # server_condition setting for both authenticators. | |
46 | ||
725c9874 | 47 | # login_server: |
48 | # driver = plaintext | |
49 | # public_name = LOGIN | |
50 | # server_prompts = "Username:: : Password::" | |
d2b0a567 | 51 | # server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" |
52 | # server_set_id = $auth1 | |
725c9874 | 53 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
54 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
55 | # .endif | |
56 | # | |
57 | # cram_md5_server: | |
58 | # driver = cram_md5 | |
59 | # public_name = CRAM-MD5 | |
d2b0a567 | 60 | # server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}} |
61 | # server_set_id = $auth1 | |
725c9874 | 62 | |
63 | # Here is an example of CRAM-MD5 authentication against PostgreSQL: | |
64 | # | |
65 | # psqldb_auth_server: | |
66 | # driver = cram_md5 | |
67 | # public_name = CRAM-MD5 | |
d2b0a567 | 68 | # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} |
69 | # server_set_id = $auth1 | |
725c9874 | 70 | |
71 | # Authenticate against local passwords using sasl2-bin | |
d2b0a567 | 72 | # Requires exim_uid to be a member of sasl group, see README.Debian.gz |
725c9874 | 73 | # plain_saslauthd_server: |
74 | # driver = plaintext | |
75 | # public_name = PLAIN | |
d2b0a567 | 76 | # server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} |
77 | # server_set_id = $auth2 | |
725c9874 | 78 | # server_prompts = : |
79 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS | |
80 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
81 | # .endif | |
82 | # | |
83 | # login_saslauthd_server: | |
84 | # driver = plaintext | |
85 | # public_name = LOGIN | |
86 | # server_prompts = "Username:: : Password::" | |
87 | # # don't send system passwords over unencrypted connections | |
d2b0a567 | 88 | # server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} |
89 | # server_set_id = $auth1 | |
725c9874 | 90 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
91 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
92 | # .endif | |
93 | # | |
94 | # ntlm_sasl_server: | |
95 | # driver = cyrus_sasl | |
96 | # public_name = NTLM | |
97 | # server_realm = <short main hostname> | |
d2b0a567 | 98 | # server_set_id = $auth1 |
725c9874 | 99 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
100 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
101 | # .endif | |
102 | # | |
103 | # digest_md5_sasl_server: | |
104 | # driver = cyrus_sasl | |
105 | # public_name = DIGEST-MD5 | |
106 | # server_realm = <short main hostname> | |
d2b0a567 | 107 | # server_set_id = $auth1 |
725c9874 | 108 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
109 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
110 | # .endif | |
111 | ||
112 | # Authentcate against cyrus-sasl | |
113 | # This is mainly untested, please report any problems to | |
d2b0a567 | 114 | # pkg-exim4-users@lists.alioth.debian.org. |
725c9874 | 115 | # cram_md5_sasl_server: |
116 | # driver = cyrus_sasl | |
117 | # public_name = CRAM-MD5 | |
118 | # server_realm = <short main hostname> | |
d2b0a567 | 119 | # server_set_id = $auth1 |
725c9874 | 120 | # |
121 | # plain_sasl_server: | |
122 | # driver = cyrus_sasl | |
123 | # public_name = PLAIN | |
124 | # server_realm = <short main hostname> | |
d2b0a567 | 125 | # server_set_id = $auth1 |
725c9874 | 126 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
127 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
128 | # .endif | |
129 | # | |
130 | # login_sasl_server: | |
131 | # driver = cyrus_sasl | |
132 | # public_name = LOGIN | |
133 | # server_realm = <short main hostname> | |
d2b0a567 | 134 | # server_set_id = $auth1 |
725c9874 | 135 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
136 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
137 | # .endif | |
138 | ||
139 | # Authenticate against courier authdaemon | |
140 | ||
d2b0a567 | 141 | # This is now the (working!) example from |
142 | # http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 | |
143 | # Possible pitfall: access rights on /var/run/courier/authdaemon/socket. | |
725c9874 | 144 | # plain_courier_authdaemon: |
145 | # driver = plaintext | |
146 | # public_name = PLAIN | |
147 | # server_condition = \ | |
d2b0a567 | 148 | # ${extract {ADDRESS} \ |
149 | # {${readsocket{/var/run/courier/authdaemon/socket} \ | |
150 | # {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \ | |
151 | # {yes} \ | |
152 | # fail} | |
153 | # server_set_id = $auth2 | |
725c9874 | 154 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
155 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
156 | # .endif | |
d2b0a567 | 157 | |
725c9874 | 158 | # login_courier_authdaemon: |
159 | # driver = plaintext | |
160 | # public_name = LOGIN | |
161 | # server_prompts = Username:: : Password:: | |
d2b0a567 | 162 | # server_condition = \ |
163 | # ${extract {ADDRESS} \ | |
164 | # {${readsocket{/var/run/courier/authdaemon/socket} \ | |
165 | # {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \ | |
166 | # {yes} \ | |
167 | # fail} | |
168 | # server_set_id = $auth1 | |
725c9874 | 169 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
170 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
171 | # .endif | |
172 | ||
173 | # This one is a bad hack to support the broken version 4.xx of | |
174 | # Microsoft Outlook Express which violates the RFCs by demanding | |
175 | # "250-AUTH=" instead of "250-AUTH ". | |
d2b0a567 | 176 | # If your list of offered authenticators is other than PLAIN and LOGIN, |
177 | # you need to adapt the public_name line manually. | |
725c9874 | 178 | # It has to be the last authenticator to work and has not been tested |
179 | # well. Use at your own risk. | |
180 | # See the thread entry point from | |
181 | # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html | |
182 | # for the related discussion on the exim-users mailing list. | |
183 | # Thanks to Fred Viles for this great work. | |
184 | ||
185 | # support_broken_outlook_express_4_server: | |
186 | # driver = plaintext | |
187 | # public_name = "\r\n250-AUTH=PLAIN LOGIN" | |
188 | # server_prompts = User Name : Password | |
189 | # server_condition = no | |
d2b0a567 | 190 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
191 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
192 | # .endif | |
725c9874 | 193 | |
194 | ############## | |
d2b0a567 | 195 | # See /usr/share/doc/exim4-base/README.Debian.gz |
725c9874 | 196 | ############## |
197 | ||
198 | # These examples below are the equivalent for client side authentication. | |
d2b0a567 | 199 | # They get the passwords from CONFDIR/passwd.client, whose format is |
200 | # defined in exim4_passwd_client(5) | |
725c9874 | 201 | |
202 | # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we | |
203 | # only allow these mechanisms over encrypted connections by default. | |
204 | # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted | |
205 | # clear text password authentication on all connections. | |
206 | ||
207 | cram_md5: | |
208 | driver = cram_md5 | |
209 | public_name = CRAM-MD5 | |
d2b0a567 | 210 | client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} |
211 | client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} | |
725c9874 | 212 | |
c3776b59 CE |
213 | # hcoop-change: Authenticate against either /etc/courier/exim.dat or |
214 | # SASL for plain and login authenticators | |
215 | ||
216 | hcoop_plain: | |
217 | driver = plaintext | |
218 | public_name = PLAIN | |
219 | server_prompts = : | |
220 | server_condition = \ | |
221 | ${if or {{crypteq {$auth3} \ | |
222 | {${extract{systempw}{${tr{${lookup{$auth2} \ | |
223 | dbm{/etc/courier/exim.dat} \ | |
224 | }}{|}{ }}}}}} \ | |
225 | {saslauthd {{$auth2}{$auth3}{exim4}}}}} | |
226 | server_set_id = $auth2 | |
227 | server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
228 | ||
229 | hcoop_login: | |
230 | driver = plaintext | |
231 | public_name = LOGIN | |
232 | server_prompts = "Username:: : Password::" | |
233 | server_condition = \ | |
234 | ${if or {{crypteq {$auth2} \ | |
235 | {${extract{systempw}{${tr{${lookup{$auth1} \ | |
236 | dbm{/etc/courier/exim.dat} \ | |
237 | }}{|}{ }}}}}} \ | |
238 | {saslauthd {{$auth1}{$auth2}{exim4}}}}} | |
239 | server_set_id = $auth1 | |
240 | server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} | |
241 | ||
20e34826 | 242 | # this returns the matching line from passwd.client and doubles all ^ |
243 | PASSWDLINE=${sg{\ | |
244 | ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ | |
245 | }\ | |
246 | {\\N[\\^]\\N}\ | |
247 | {^^}\ | |
248 | } | |
249 | ||
c3776b59 CE |
250 | # hcoop-change: Comment out plain and login authenticators |
251 | ||
252 | # plain: | |
253 | # driver = plaintext | |
254 | # public_name = PLAIN | |
255 | # .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS | |
256 | # client_send = "<; ${if !eq{$tls_cipher}{}\ | |
257 | # {^${extract{1}{:}{PASSWDLINE}}\ | |
258 | # ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ | |
259 | # }fail}" | |
260 | # .else | |
261 | # client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\ | |
262 | # ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" | |
263 | # .endif | |
264 | ||
265 | # login: | |
266 | # driver = plaintext | |
267 | # public_name = LOGIN | |
268 | # .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS | |
269 | # # Return empty string if not non-TLS AND looking up $host in passwd-file | |
270 | # # yields a non-empty string; fail otherwise. | |
271 | # client_send = "<; ${if and{\ | |
272 | # {!eq{$tls_cipher}{}}\ | |
273 | # {!eq{PASSWDLINE}{}}\ | |
274 | # }\ | |
275 | # {}fail}\ | |
276 | # ; ${extract{1}{::}{PASSWDLINE}}\ | |
277 | # ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" | |
278 | # .else | |
279 | # # Return empty string if looking up $host in passwd-file yields a | |
280 | # # non-empty string; fail otherwise. | |
281 | # client_send = "<; ${if !eq{PASSWDLINE}{}\ | |
282 | # {}fail}\ | |
283 | # ; ${extract{1}{::}{PASSWDLINE}}\ | |
284 | # ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" | |
285 | # .endif |