2 ### auth/30_exim4-config_examples
3 #################################
5 # The examples below are for server side authentication
7 # They allow two styles of plain-text authentication against an
8 # CONFDIR/passwd file which should have user names in the first column
9 # and crypted passwords in the second. The columns need to be separated
10 # by ':'. Please note that apache's htpasswd program generates a file
11 # in the correct format, but uses a different crypt scheme. So,
12 # htpassword will _NOT_ work for exim4.
14 # For CRAM-MD5 exim needs access to the UNENCRYPTED passwd - the example
15 # below assumes it is available in the third column of CONFDIR/passwd
17 # Hosts that are allowed to use AUTH are defined by the
18 # auth_advertise_hosts option in the main configuration. The default is
19 # "*", which allows authentication to all hosts over all kinds of
20 # connections if there is at least one authenticator defined here.
21 # Authenticators which rely on unencrypted clear text passwords don't
22 # advertise on unencrypted connections by default. You can set
23 # AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to advertise unencrypted clear text
24 # password based authenticators on all connections.
29 # server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
32 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
33 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
39 # server_prompts = "Username:: : Password::"
40 # server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
42 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
43 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
48 # public_name = CRAM-MD5
49 # server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}}
52 # Here is an example of CRAM-MD5 authentication against PostgreSQL:
56 # public_name = CRAM-MD5
57 # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$1}'}{$value}fail}
60 # Authenticate against local passwords using sasl2-bin
61 # Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH
62 # plain_saslauthd_server:
65 # server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
68 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
69 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
72 # login_saslauthd_server:
75 # server_prompts = "Username:: : Password::"
76 # # don't send system passwords over unencrypted connections
77 # server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
78 # server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
80 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
81 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
87 # server_realm = <short main hostname>
89 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
90 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
93 # digest_md5_sasl_server:
95 # public_name = DIGEST-MD5
96 # server_realm = <short main hostname>
98 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
99 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
102 # Authentcate against cyrus-sasl
103 # This is mainly untested, please report any problems to
104 # pkg-exim4-users@lists.alioth.debian.org. If you have success with
105 # using these authenticators until May 1 2005, please report as well.
106 # cram_md5_sasl_server:
107 # driver = cyrus_sasl
108 # public_name = CRAM-MD5
109 # server_realm = <short main hostname>
113 # driver = cyrus_sasl
114 # public_name = PLAIN
115 # server_realm = <short main hostname>
117 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
118 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
122 # driver = cyrus_sasl
123 # public_name = LOGIN
124 # server_realm = <short main hostname>
126 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
127 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
130 # Authenticate against courier authdaemon
132 # This has been copied from
133 # http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php
134 # (thanks to r. i. pienaar). This has been reported as "working" with
135 # the Debian packages by Sven Geggus. Possible pitfall: access rights
136 # on /var/run/courier/authdaemon/socket.
138 # plain_courier_authdaemon:
140 # public_name = PLAIN
141 # server_condition = \
142 # ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
143 # {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n}}}{FAIL\n}{no}{yes}}
145 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
146 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
149 # login_courier_authdaemon:
151 # public_name = LOGIN
152 # server_prompts = Username:: : Password::
153 # server_condition = ${if eq {${readsocket{/var/run/courier/authdaemon/socket} \
154 # {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n}}}{FAIL\n}{no}{yes}}
156 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
157 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
160 # This one is a bad hack to support the broken version 4.xx of
161 # Microsoft Outlook Express which violates the RFCs by demanding
162 # "250-AUTH=" instead of "250-AUTH ".
163 # It has to be the last authenticator to work and has not been tested
164 # well. Use at your own risk.
165 # See the thread entry point from
166 # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
167 # for the related discussion on the exim-users mailing list.
168 # Thanks to Fred Viles for this great work.
170 # support_broken_outlook_express_4_server:
172 # public_name = "\r\n250-AUTH=PLAIN LOGIN"
173 # server_prompts = User Name : Password
174 # server_condition = no
177 # See /usr/share/doc/exim4-base/README.SMTP-AUTH
180 # These examples below are the equivalent for client side authentication.
181 # They get the passwords from CONFDIR/passwd.client. This file should have
182 # three columns separated by colons, the first contains the name of the
183 # mailserver to authenticate against, the second the username and the third
184 # contains the password.
186 ### # example for CONFDIR/passwd.client
187 ### mail.server:blah:secret
191 # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
192 # only allow these mechanisms over encrypted connections by default.
193 # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
194 # clear text password authentication on all connections.
198 public_name = CRAM-MD5
199 client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
200 client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
205 .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
206 client_send = "${if !eq{$tls_cipher}{}{\
208 {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
210 {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
213 client_send = "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
219 .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
220 client_send = "${if !eq{$tls_cipher}{}{}fail}\
222 {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \
224 {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
226 client_send = ": ${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"