conf.d/auth/30_exim4-config_examples

   1
   2 ### auth/30_exim4-config_examples
   3 #################################
   4
   5 # The examples below are for server side authentication
   6
   7 # They allow two styles of plain-text authentication against an
   8 # CONFDIR/passwd file which should have user names in the first column
   9 # and crypted passwords in the second. The columns need to be separated
  10 # by ':'. Please note that apache's htpasswd program generates a file
  11 # in the correct format, but uses a different crypt scheme. So,
  12 # htpassword will _NOT_ work for exim4.
  13
  14 # For CRAM-MD5 exim needs access to the UNENCRYPTED passwd - the example
  15 # below assumes it is available in the third column of CONFDIR/passwd
  16
  17 # Hosts that are allowed to use AUTH are defined by the
  18 # auth_advertise_hosts option in the main configuration. The default is
  19 # "*", which allows authentication to all hosts over all kinds of
  20 # connections if there is at least one authenticator defined here.
  21 # Authenticators which rely on unencrypted clear text passwords don't
  22 # advertise on unencrypted connections by default. You can set
  23 # AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to advertise unencrypted clear text
  24 # password based authenticators on all connections.
  25
  26 # plain_server:
  27 #   driver = plaintext
  28 #   public_name = PLAIN
  29 #   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  30 #   server_set_id = $2
  31 #   server_prompts = :
  32 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  33 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  34 #   .endif
  35 #
  36 # login_server:
  37 #   driver = plaintext
  38 #   public_name = LOGIN
  39 #   server_prompts = "Username:: : Password::"
  40 #   server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  41 #   server_set_id = $1
  42 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  43 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  44 #   .endif
  45 #
  46 # cram_md5_server:
  47 #   driver = cram_md5
  48 #   public_name = CRAM-MD5
  49 #   server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}}
  50 #   server_set_id = $1
  51
  52 # Here is an example of CRAM-MD5 authentication against PostgreSQL:
  53 #
  54 # psqldb_auth_server:
  55 #   driver = cram_md5
  56 #   public_name = CRAM-MD5
  57 #   server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$1}'}{$value}fail}
  58 #   server_set_id = $1
  59
  60 # Authenticate against local passwords using sasl2-bin
  61 # Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH
  62 # plain_saslauthd_server:
  63 #   driver = plaintext
  64 #   public_name = PLAIN
  65 #   server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
  66 #   server_set_id = $2
  67 #   server_prompts = :
  68 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  69 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  70 #   .endif
  71 #
  72 # login_saslauthd_server:
  73 #   driver = plaintext
  74 #   public_name = LOGIN
  75 #   server_prompts = "Username:: : Password::"
  76 #   # don't send system passwords over unencrypted connections
  77 #   server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
  78 #   server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
  79 #   server_set_id = $1
  80 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  81 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  82 #   .endif
  83 #
  84 # ntlm_sasl_server:
  85 #   driver = cyrus_sasl
  86 #   public_name = NTLM
  87 #   server_realm = <short main hostname>
  88 #   server_set_id = $1
  89 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  90 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  91 #   .endif
  92 #
  93 # digest_md5_sasl_server:
  94 #   driver = cyrus_sasl
  95 #   public_name = DIGEST-MD5
  96 #   server_realm = <short main hostname>
  97 #   server_set_id = $1
  98 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  99 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 100 #   .endif
 101
 102 # Authentcate against cyrus-sasl
 103 # This is mainly untested, please report any problems to
 104 # pkg-exim4-users@lists.alioth.debian.org. If you have success with
 105 # using these authenticators until May 1 2005, please report as well.
 106 # cram_md5_sasl_server:
 107 #   driver = cyrus_sasl
 108 #   public_name = CRAM-MD5
 109 #   server_realm = <short main hostname>
 110 #   server_set_id = $1
 111 #
 112 # plain_sasl_server:
 113 #   driver = cyrus_sasl
 114 #   public_name = PLAIN
 115 #   server_realm = <short main hostname>
 116 #   server_set_id = $1
 117 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 118 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 119 #   .endif
 120 #
 121 # login_sasl_server:
 122 #   driver = cyrus_sasl
 123 #   public_name = LOGIN
 124 #   server_realm = <short main hostname>
 125 #   server_set_id = $1
 126 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 127 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 128 #   .endif
 129
 130 # Authenticate against courier authdaemon
 131
 132 # This has been copied from
 133 # http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php
 134 # (thanks to r. i. pienaar). This has been reported as "working" with
 135 # the Debian packages by Sven Geggus. Possible pitfall: access rights
 136 # on /var/run/courier/authdaemon/socket.
 137
 138 # plain_courier_authdaemon:
 139 #   driver = plaintext
 140 #   public_name = PLAIN
 141 #   server_condition = \
 142 #                ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
 143 #                {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n}}}{FAIL\n}{no}{yes}}
 144 #   server_set_id = $2
 145 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 146 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 147 #   .endif
 148 #
 149 # login_courier_authdaemon:
 150 #   driver = plaintext
 151 #   public_name = LOGIN
 152 #   server_prompts = Username:: : Password::
 153 #   server_condition = ${if eq {${readsocket{/var/run/courier/authdaemon/socket} \
 154 #                 {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n}}}{FAIL\n}{no}{yes}}
 155 #   server_set_id = $1
 156 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 157 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 158 #   .endif
 159
 160 # This one is a bad hack to support the broken version 4.xx of
 161 # Microsoft Outlook Express which violates the RFCs by demanding
 162 # "250-AUTH=" instead of "250-AUTH ".
 163 # It has to be the last authenticator to work and has not been tested
 164 # well. Use at your own risk.
 165 # See the thread entry point from
 166 # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
 167 # for the related discussion on the exim-users mailing list.
 168 # Thanks to Fred Viles for this great work.
 169
 170 # support_broken_outlook_express_4_server:
 171 #   driver = plaintext
 172 #   public_name = "\r\n250-AUTH=PLAIN LOGIN"
 173 #   server_prompts = User Name : Password
 174 #   server_condition = no
 175
 176 ##############
 177 # See /usr/share/doc/exim4-base/README.SMTP-AUTH
 178 ##############
 179
 180 # These examples below are the equivalent for client side authentication.
 181 # They get the passwords from CONFDIR/passwd.client. This file should have
 182 # three columns separated by colons, the first contains the name of the
 183 # mailserver to authenticate against, the second the username and the third
 184 # contains the password.
 185
 186 ### # example for CONFDIR/passwd.client
 187 ### mail.server:blah:secret
 188 ### # default entry:
 189 ### *:bar:foo
 190
 191 # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
 192 # only allow these mechanisms over encrypted connections by default.
 193 # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
 194 # clear text password authentication on all connections.
 195
 196 cram_md5:
 197   driver = cram_md5
 198   public_name = CRAM-MD5
 199   client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
 200   client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
 201
 202 plain:
 203   driver = plaintext
 204   public_name = PLAIN
 205 .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
 206   client_send = "${if !eq{$tls_cipher}{}{\
 207                      ^${extract{1}{::}\
 208                        {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
 209                      ^${extract{2}{::}\
 210                        {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
 211                    }fail}"
 212 .else
 213   client_send = "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
 214 .endif
 215
 216 login:
 217   driver = plaintext
 218   public_name = LOGIN
 219 .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
 220   client_send = "${if !eq{$tls_cipher}{}{}fail}\
 221                  : ${extract{1}{::}\
 222                         {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \
 223                  : ${extract{2}{::}\
 224                      {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
 225 .else
 226   client_send = ": ${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
 227 .endif