| 1 | |
| 2 | ### auth/30_exim4-config_examples |
| 3 | ################################# |
| 4 | |
| 5 | # The examples below are for server side authentication, when the |
| 6 | # local exim is SMTP server and clients authenticate to the local exim. |
| 7 | |
| 8 | # They allow two styles of plain-text authentication against an |
| 9 | # CONFDIR/passwd file whose syntax is described in exim4_passwd(5). |
| 10 | |
| 11 | # Hosts that are allowed to use AUTH are defined by the |
| 12 | # auth_advertise_hosts option in the main configuration. The default is |
| 13 | # "*", which allows authentication to all hosts over all kinds of |
| 14 | # connections if there is at least one authenticator defined here. |
| 15 | # Authenticators which rely on unencrypted clear text passwords don't |
| 16 | # advertise on unencrypted connections by default. Thus, it might be |
| 17 | # wise to set up TLS to allow encrypted connections. If TLS cannot be |
| 18 | # used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to |
| 19 | # advertise unencrypted clear text password based authenticators on all |
| 20 | # connections. As this is severely reducing security, using TLS is |
| 21 | # preferred over allowing clear text password based authenticators on |
| 22 | # unencrypted connections. |
| 23 | |
| 24 | # PLAIN authentication has no server prompts. The client sends its |
| 25 | # credentials in one lump, containing an authorization ID (which we do not |
| 26 | # use), an authentication ID, and a password. The latter two appear as |
| 27 | # $auth2 and $auth3 in the configuration and should be checked against a |
| 28 | # valid username and password. In a real configuration you would typically |
| 29 | # use $auth2 as a lookup key, and compare $auth3 against the result of the |
| 30 | # lookup, perhaps using the crypteq{}{} condition. |
| 31 | |
| 32 | # plain_server: |
| 33 | # driver = plaintext |
| 34 | # public_name = PLAIN |
| 35 | # server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" |
| 36 | # server_set_id = $auth2 |
| 37 | # server_prompts = : |
| 38 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 39 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 40 | # .endif |
| 41 | |
| 42 | # LOGIN authentication has traditional prompts and responses. There is no |
| 43 | # authorization ID in this mechanism, so unlike PLAIN the username and |
| 44 | # password are $auth1 and $auth2. Apart from that you can use the same |
| 45 | # server_condition setting for both authenticators. |
| 46 | |
| 47 | # login_server: |
| 48 | # driver = plaintext |
| 49 | # public_name = LOGIN |
| 50 | # server_prompts = "Username:: : Password::" |
| 51 | # server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" |
| 52 | # server_set_id = $auth1 |
| 53 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 54 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 55 | # .endif |
| 56 | # |
| 57 | # cram_md5_server: |
| 58 | # driver = cram_md5 |
| 59 | # public_name = CRAM-MD5 |
| 60 | # server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}} |
| 61 | # server_set_id = $auth1 |
| 62 | |
| 63 | # Here is an example of CRAM-MD5 authentication against PostgreSQL: |
| 64 | # |
| 65 | # psqldb_auth_server: |
| 66 | # driver = cram_md5 |
| 67 | # public_name = CRAM-MD5 |
| 68 | # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} |
| 69 | # server_set_id = $auth1 |
| 70 | |
| 71 | # Authenticate against local passwords using sasl2-bin |
| 72 | # Requires exim_uid to be a member of sasl group, see README.Debian.gz |
| 73 | # plain_saslauthd_server: |
| 74 | # driver = plaintext |
| 75 | # public_name = PLAIN |
| 76 | # server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} |
| 77 | # server_set_id = $auth2 |
| 78 | # server_prompts = : |
| 79 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 80 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 81 | # .endif |
| 82 | # |
| 83 | # login_saslauthd_server: |
| 84 | # driver = plaintext |
| 85 | # public_name = LOGIN |
| 86 | # server_prompts = "Username:: : Password::" |
| 87 | # # don't send system passwords over unencrypted connections |
| 88 | # server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} |
| 89 | # server_set_id = $auth1 |
| 90 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 91 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 92 | # .endif |
| 93 | # |
| 94 | # ntlm_sasl_server: |
| 95 | # driver = cyrus_sasl |
| 96 | # public_name = NTLM |
| 97 | # server_realm = <short main hostname> |
| 98 | # server_set_id = $auth1 |
| 99 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 100 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 101 | # .endif |
| 102 | # |
| 103 | # digest_md5_sasl_server: |
| 104 | # driver = cyrus_sasl |
| 105 | # public_name = DIGEST-MD5 |
| 106 | # server_realm = <short main hostname> |
| 107 | # server_set_id = $auth1 |
| 108 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 109 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 110 | # .endif |
| 111 | |
| 112 | # Authentcate against cyrus-sasl |
| 113 | # This is mainly untested, please report any problems to |
| 114 | # pkg-exim4-users@lists.alioth.debian.org. |
| 115 | # cram_md5_sasl_server: |
| 116 | # driver = cyrus_sasl |
| 117 | # public_name = CRAM-MD5 |
| 118 | # server_realm = <short main hostname> |
| 119 | # server_set_id = $auth1 |
| 120 | # |
| 121 | # plain_sasl_server: |
| 122 | # driver = cyrus_sasl |
| 123 | # public_name = PLAIN |
| 124 | # server_realm = <short main hostname> |
| 125 | # server_set_id = $auth1 |
| 126 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 127 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 128 | # .endif |
| 129 | # |
| 130 | # login_sasl_server: |
| 131 | # driver = cyrus_sasl |
| 132 | # public_name = LOGIN |
| 133 | # server_realm = <short main hostname> |
| 134 | # server_set_id = $auth1 |
| 135 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 136 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 137 | # .endif |
| 138 | |
| 139 | # Authenticate against courier authdaemon |
| 140 | |
| 141 | # This is now the (working!) example from |
| 142 | # http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 |
| 143 | # Possible pitfall: access rights on /var/run/courier/authdaemon/socket. |
| 144 | # plain_courier_authdaemon: |
| 145 | # driver = plaintext |
| 146 | # public_name = PLAIN |
| 147 | # server_condition = \ |
| 148 | # ${extract {ADDRESS} \ |
| 149 | # {${readsocket{/var/run/courier/authdaemon/socket} \ |
| 150 | # {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \ |
| 151 | # {yes} \ |
| 152 | # fail} |
| 153 | # server_set_id = $auth2 |
| 154 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 155 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 156 | # .endif |
| 157 | |
| 158 | # login_courier_authdaemon: |
| 159 | # driver = plaintext |
| 160 | # public_name = LOGIN |
| 161 | # server_prompts = Username:: : Password:: |
| 162 | # server_condition = \ |
| 163 | # ${extract {ADDRESS} \ |
| 164 | # {${readsocket{/var/run/courier/authdaemon/socket} \ |
| 165 | # {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \ |
| 166 | # {yes} \ |
| 167 | # fail} |
| 168 | # server_set_id = $auth1 |
| 169 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 170 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 171 | # .endif |
| 172 | |
| 173 | # This one is a bad hack to support the broken version 4.xx of |
| 174 | # Microsoft Outlook Express which violates the RFCs by demanding |
| 175 | # "250-AUTH=" instead of "250-AUTH ". |
| 176 | # If your list of offered authenticators is other than PLAIN and LOGIN, |
| 177 | # you need to adapt the public_name line manually. |
| 178 | # It has to be the last authenticator to work and has not been tested |
| 179 | # well. Use at your own risk. |
| 180 | # See the thread entry point from |
| 181 | # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html |
| 182 | # for the related discussion on the exim-users mailing list. |
| 183 | # Thanks to Fred Viles for this great work. |
| 184 | |
| 185 | # support_broken_outlook_express_4_server: |
| 186 | # driver = plaintext |
| 187 | # public_name = "\r\n250-AUTH=PLAIN LOGIN" |
| 188 | # server_prompts = User Name : Password |
| 189 | # server_condition = no |
| 190 | # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS |
| 191 | # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 192 | # .endif |
| 193 | |
| 194 | ############## |
| 195 | # See /usr/share/doc/exim4-base/README.Debian.gz |
| 196 | ############## |
| 197 | |
| 198 | # These examples below are the equivalent for client side authentication. |
| 199 | # They get the passwords from CONFDIR/passwd.client, whose format is |
| 200 | # defined in exim4_passwd_client(5) |
| 201 | |
| 202 | # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we |
| 203 | # only allow these mechanisms over encrypted connections by default. |
| 204 | # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted |
| 205 | # clear text password authentication on all connections. |
| 206 | |
| 207 | cram_md5: |
| 208 | driver = cram_md5 |
| 209 | public_name = CRAM-MD5 |
| 210 | client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} |
| 211 | client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} |
| 212 | |
| 213 | # hcoop-change: Authenticate against either /etc/courier/exim.dat or |
| 214 | # SASL for plain and login authenticators |
| 215 | |
| 216 | hcoop_plain: |
| 217 | driver = plaintext |
| 218 | public_name = PLAIN |
| 219 | server_prompts = : |
| 220 | server_condition = \ |
| 221 | ${if or {{crypteq {$auth3} \ |
| 222 | {${extract{systempw}{${tr{${lookup{$auth2} \ |
| 223 | dbm{/etc/courier/exim.dat} \ |
| 224 | }}{|}{ }}}}}} \ |
| 225 | {saslauthd {{$auth2}{$auth3}{exim4}}}}} |
| 226 | server_set_id = $auth2 |
| 227 | server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 228 | |
| 229 | hcoop_login: |
| 230 | driver = plaintext |
| 231 | public_name = LOGIN |
| 232 | server_prompts = "Username:: : Password::" |
| 233 | server_condition = \ |
| 234 | ${if or {{crypteq {$auth2} \ |
| 235 | {${extract{systempw}{${tr{${lookup{$auth1} \ |
| 236 | dbm{/etc/courier/exim.dat} \ |
| 237 | }}{|}{ }}}}}} \ |
| 238 | {saslauthd {{$auth1}{$auth2}{exim4}}}}} |
| 239 | server_set_id = $auth1 |
| 240 | server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} |
| 241 | |
| 242 | # this returns the matching line from passwd.client and doubles all ^ |
| 243 | PASSWDLINE=${sg{\ |
| 244 | ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ |
| 245 | }\ |
| 246 | {\\N[\\^]\\N}\ |
| 247 | {^^}\ |
| 248 | } |
| 249 | |
| 250 | # hcoop-change: Comment out plain and login authenticators |
| 251 | |
| 252 | # plain: |
| 253 | # driver = plaintext |
| 254 | # public_name = PLAIN |
| 255 | # .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS |
| 256 | # client_send = "<; ${if !eq{$tls_cipher}{}\ |
| 257 | # {^${extract{1}{:}{PASSWDLINE}}\ |
| 258 | # ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ |
| 259 | # }fail}" |
| 260 | # .else |
| 261 | # client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\ |
| 262 | # ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" |
| 263 | # .endif |
| 264 | |
| 265 | # login: |
| 266 | # driver = plaintext |
| 267 | # public_name = LOGIN |
| 268 | # .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS |
| 269 | # # Return empty string if not non-TLS AND looking up $host in passwd-file |
| 270 | # # yields a non-empty string; fail otherwise. |
| 271 | # client_send = "<; ${if and{\ |
| 272 | # {!eq{$tls_cipher}{}}\ |
| 273 | # {!eq{PASSWDLINE}{}}\ |
| 274 | # }\ |
| 275 | # {}fail}\ |
| 276 | # ; ${extract{1}{::}{PASSWDLINE}}\ |
| 277 | # ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" |
| 278 | # .else |
| 279 | # # Return empty string if looking up $host in passwd-file yields a |
| 280 | # # non-empty string; fail otherwise. |
| 281 | # client_send = "<; ${if !eq{PASSWDLINE}{}\ |
| 282 | # {}fail}\ |
| 283 | # ; ${extract{1}{::}{PASSWDLINE}}\ |
| 284 | # ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" |
| 285 | # .endif |