725c9874 |
1 | |
2 | ### auth/30_exim4-config_examples |
3 | ################################# |
4 | |
d2b0a567 |
5 | # The examples below are for server side authentication, when the |
6 | # local exim is SMTP server and clients authenticate to the local exim. |
725c9874 |
7 | |
8 | # They allow two styles of plain-text authentication against an |
d2b0a567 |
9 | # CONFDIR/passwd file whose syntax is described in exim_passwd(5). |
725c9874 |
10 | |
11 | # Hosts that are allowed to use AUTH are defined by the |
12 | # auth_advertise_hosts option in the main configuration. The default is |
13 | # "*", which allows authentication to all hosts over all kinds of |
14 | # connections if there is at least one authenticator defined here. |
15 | # Authenticators which rely on unencrypted clear text passwords don't |
d2b0a567 |
16 | # advertise on unencrypted connections by default. Thus, it might be |
17 | # wise to set up TLS to allow encrypted connections. If TLS cannot be |
18 | # used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to |
19 | # advertise unencrypted clear text password based authenticators on all |
20 | # connections. As this is severely reducing security, using TLS is |
21 | # preferred over allowing clear text password based authenticators on |
22 | # unencrypted connections. |
23 | |
24 | # PLAIN authentication has no server prompts. The client sends its |
25 | # credentials in one lump, containing an authorization ID (which we do not |
26 | # use), an authentication ID, and a password. The latter two appear as |
27 | # $auth2 and $auth3 in the configuration and should be checked against a |
28 | # valid username and password. In a real configuration you would typically |
29 | # use $auth2 as a lookup key, and compare $auth3 against the result of the |
30 | # lookup, perhaps using the crypteq{}{} condition. |
725c9874 |
31 | |
32 | # plain_server: |
33 | # driver = plaintext |
34 | # public_name = PLAIN |
d2b0a567 |
35 | # server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" |
36 | # server_set_id = $auth2 |
725c9874 |
37 | # server_prompts = : |
38 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
39 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
40 | # .endif |
d2b0a567 |
41 | |
42 | # LOGIN authentication has traditional prompts and responses. There is no |
43 | # authorization ID in this mechanism, so unlike PLAIN the username and |
44 | # password are $auth1 and $auth2. Apart from that you can use the same |
45 | # server_condition setting for both authenticators. |
46 | |
725c9874 |
47 | # login_server: |
48 | # driver = plaintext |
49 | # public_name = LOGIN |
50 | # server_prompts = "Username:: : Password::" |
d2b0a567 |
51 | # server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" |
52 | # server_set_id = $auth1 |
725c9874 |
53 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
54 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
55 | # .endif |
56 | # |
57 | # cram_md5_server: |
58 | # driver = cram_md5 |
59 | # public_name = CRAM-MD5 |
d2b0a567 |
60 | # server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}} |
61 | # server_set_id = $auth1 |
725c9874 |
62 | |
63 | # Here is an example of CRAM-MD5 authentication against PostgreSQL: |
64 | # |
65 | # psqldb_auth_server: |
66 | # driver = cram_md5 |
67 | # public_name = CRAM-MD5 |
d2b0a567 |
68 | # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} |
69 | # server_set_id = $auth1 |
725c9874 |
70 | |
71 | # Authenticate against local passwords using sasl2-bin |
d2b0a567 |
72 | # Requires exim_uid to be a member of sasl group, see README.Debian.gz |
725c9874 |
73 | # plain_saslauthd_server: |
74 | # driver = plaintext |
75 | # public_name = PLAIN |
d2b0a567 |
76 | # server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} |
77 | # server_set_id = $auth2 |
725c9874 |
78 | # server_prompts = : |
79 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
80 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
81 | # .endif |
82 | # |
83 | # login_saslauthd_server: |
84 | # driver = plaintext |
85 | # public_name = LOGIN |
86 | # server_prompts = "Username:: : Password::" |
87 | # # don't send system passwords over unencrypted connections |
d2b0a567 |
88 | # server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} |
89 | # server_set_id = $auth1 |
725c9874 |
90 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
91 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
92 | # .endif |
93 | # |
94 | # ntlm_sasl_server: |
95 | # driver = cyrus_sasl |
96 | # public_name = NTLM |
97 | # server_realm = <short main hostname> |
d2b0a567 |
98 | # server_set_id = $auth1 |
725c9874 |
99 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
100 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
101 | # .endif |
102 | # |
103 | # digest_md5_sasl_server: |
104 | # driver = cyrus_sasl |
105 | # public_name = DIGEST-MD5 |
106 | # server_realm = <short main hostname> |
d2b0a567 |
107 | # server_set_id = $auth1 |
725c9874 |
108 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
109 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
110 | # .endif |
111 | |
112 | # Authentcate against cyrus-sasl |
113 | # This is mainly untested, please report any problems to |
d2b0a567 |
114 | # pkg-exim4-users@lists.alioth.debian.org. |
725c9874 |
115 | # cram_md5_sasl_server: |
116 | # driver = cyrus_sasl |
117 | # public_name = CRAM-MD5 |
118 | # server_realm = <short main hostname> |
d2b0a567 |
119 | # server_set_id = $auth1 |
725c9874 |
120 | # |
121 | # plain_sasl_server: |
122 | # driver = cyrus_sasl |
123 | # public_name = PLAIN |
124 | # server_realm = <short main hostname> |
d2b0a567 |
125 | # server_set_id = $auth1 |
725c9874 |
126 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
127 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
128 | # .endif |
129 | # |
130 | # login_sasl_server: |
131 | # driver = cyrus_sasl |
132 | # public_name = LOGIN |
133 | # server_realm = <short main hostname> |
d2b0a567 |
134 | # server_set_id = $auth1 |
725c9874 |
135 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
136 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
137 | # .endif |
138 | |
139 | # Authenticate against courier authdaemon |
140 | |
d2b0a567 |
141 | # This is now the (working!) example from |
142 | # http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 |
143 | # Possible pitfall: access rights on /var/run/courier/authdaemon/socket. |
725c9874 |
144 | # plain_courier_authdaemon: |
145 | # driver = plaintext |
146 | # public_name = PLAIN |
147 | # server_condition = \ |
d2b0a567 |
148 | # ${extract {ADDRESS} \ |
149 | # {${readsocket{/var/run/courier/authdaemon/socket} \ |
150 | # {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \ |
151 | # {yes} \ |
152 | # fail} |
153 | # server_set_id = $auth2 |
725c9874 |
154 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
155 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
156 | # .endif |
d2b0a567 |
157 | |
725c9874 |
158 | # login_courier_authdaemon: |
159 | # driver = plaintext |
160 | # public_name = LOGIN |
161 | # server_prompts = Username:: : Password:: |
d2b0a567 |
162 | # server_condition = \ |
163 | # ${extract {ADDRESS} \ |
164 | # {${readsocket{/var/run/courier/authdaemon/socket} \ |
165 | # {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \ |
166 | # {yes} \ |
167 | # fail} |
168 | # server_set_id = $auth1 |
725c9874 |
169 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
170 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
171 | # .endif |
172 | |
173 | # This one is a bad hack to support the broken version 4.xx of |
174 | # Microsoft Outlook Express which violates the RFCs by demanding |
175 | # "250-AUTH=" instead of "250-AUTH ". |
d2b0a567 |
176 | # If your list of offered authenticators is other than PLAIN and LOGIN, |
177 | # you need to adapt the public_name line manually. |
725c9874 |
178 | # It has to be the last authenticator to work and has not been tested |
179 | # well. Use at your own risk. |
180 | # See the thread entry point from |
181 | # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html |
182 | # for the related discussion on the exim-users mailing list. |
183 | # Thanks to Fred Viles for this great work. |
184 | |
185 | # support_broken_outlook_express_4_server: |
186 | # driver = plaintext |
187 | # public_name = "\r\n250-AUTH=PLAIN LOGIN" |
188 | # server_prompts = User Name : Password |
189 | # server_condition = no |
d2b0a567 |
190 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
191 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
192 | # .endif |
725c9874 |
193 | |
194 | ############## |
d2b0a567 |
195 | # See /usr/share/doc/exim4-base/README.Debian.gz |
725c9874 |
196 | ############## |
197 | |
198 | # These examples below are the equivalent for client side authentication. |
d2b0a567 |
199 | # They get the passwords from CONFDIR/passwd.client, whose format is |
200 | # defined in exim4_passwd_client(5) |
725c9874 |
201 | |
202 | # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we |
203 | # only allow these mechanisms over encrypted connections by default. |
204 | # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted |
205 | # clear text password authentication on all connections. |
206 | |
207 | cram_md5: |
208 | driver = cram_md5 |
209 | public_name = CRAM-MD5 |
d2b0a567 |
210 | client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} |
211 | client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} |
725c9874 |
212 | |
213 | plain: |
214 | driver = plaintext |
215 | public_name = PLAIN |
216 | .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS |
217 | client_send = "${if !eq{$tls_cipher}{}{\ |
218 | ^${extract{1}{::}\ |
d2b0a567 |
219 | {${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}\ |
725c9874 |
220 | ^${extract{2}{::}\ |
d2b0a567 |
221 | {${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}\ |
725c9874 |
222 | }fail}" |
223 | .else |
d2b0a567 |
224 | client_send = "^${extract{1}{::}\ |
225 | {${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}\ |
226 | ^${extract{2}{::}\ |
227 | {${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}" |
725c9874 |
228 | .endif |
229 | |
230 | login: |
231 | driver = plaintext |
232 | public_name = LOGIN |
233 | .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS |
d2b0a567 |
234 | # Return empty string if not non-TLS AND looking up $host in passwd-file |
235 | # yields a non-empty string; fail otherwise. |
236 | client_send = "${if and{\ |
237 | {!eq{$tls_cipher}{}}\ |
238 | {!eq\ |
239 | {${lookup{$host}nwildlsearch{CONFDIR/passwd.client}\ |
240 | {$value}fail}}\ |
241 | {}}\ |
242 | }\ |
243 | {}fail}\ |
725c9874 |
244 | : ${extract{1}{::}\ |
d2b0a567 |
245 | {${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} \ |
725c9874 |
246 | : ${extract{2}{::}\ |
d2b0a567 |
247 | {${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}" |
725c9874 |
248 | .else |
d2b0a567 |
249 | # Return empty string if looking up $host in passwd-file yields a |
250 | # non-empty string; fail otherwise. |
251 | client_send = "${if !eq\ |
252 | {${lookup\ |
253 | {$host}nwildlsearch{CONFDIR/passwd.client}\ |
254 | {$value}fail}}\ |
255 | {}\ |
256 | {}fail}\ |
257 | : ${extract{1}{::}\ |
258 | {${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} \ |
259 | : ${extract{2}{::}\ |
260 | {${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}" |
725c9874 |
261 | .endif |