conf.d/auth/30_exim4-config_examples

   1
   2 ### auth/30_exim4-config_examples
   3 #################################
   4
   5 # The examples below are for server side authentication, when the
   6 # local exim is SMTP server and clients authenticate to the local exim.
   7
   8 # They allow two styles of plain-text authentication against an
   9 # CONFDIR/passwd file whose syntax is described in exim_passwd(5).
  10
  11 # Hosts that are allowed to use AUTH are defined by the
  12 # auth_advertise_hosts option in the main configuration. The default is
  13 # "*", which allows authentication to all hosts over all kinds of
  14 # connections if there is at least one authenticator defined here.
  15 # Authenticators which rely on unencrypted clear text passwords don't
  16 # advertise on unencrypted connections by default. Thus, it might be
  17 # wise to set up TLS to allow encrypted connections. If TLS cannot be
  18 # used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
  19 # advertise unencrypted clear text password based authenticators on all
  20 # connections. As this is severely reducing security, using TLS is
  21 # preferred over allowing clear text password based authenticators on
  22 # unencrypted connections.
  23
  24 # PLAIN authentication has no server prompts. The client sends its
  25 # credentials in one lump, containing an authorization ID (which we do not
  26 # use), an authentication ID, and a password. The latter two appear as
  27 # $auth2 and $auth3 in the configuration and should be checked against a
  28 # valid username and password. In a real configuration you would typically
  29 # use $auth2 as a lookup key, and compare $auth3 against the result of the
  30 # lookup, perhaps using the crypteq{}{} condition.
  31
  32 # plain_server:
  33 #   driver = plaintext
  34 #   public_name = PLAIN
  35 #   server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  36 #   server_set_id = $auth2
  37 #   server_prompts = :
  38 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  39 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  40 #   .endif
  41
  42 # LOGIN authentication has traditional prompts and responses. There is no
  43 # authorization ID in this mechanism, so unlike PLAIN the username and
  44 # password are $auth1 and $auth2. Apart from that you can use the same
  45 # server_condition setting for both authenticators.
  46
  47 # login_server:
  48 #   driver = plaintext
  49 #   public_name = LOGIN
  50 #   server_prompts = "Username:: : Password::"
  51 #   server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  52 #   server_set_id = $auth1
  53 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  54 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  55 #   .endif
  56 #
  57 # cram_md5_server:
  58 #   driver = cram_md5
  59 #   public_name = CRAM-MD5
  60 #   server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
  61 #   server_set_id = $auth1
  62
  63 # Here is an example of CRAM-MD5 authentication against PostgreSQL:
  64 #
  65 # psqldb_auth_server:
  66 #   driver = cram_md5
  67 #   public_name = CRAM-MD5
  68 #   server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
  69 #   server_set_id = $auth1
  70
  71 # Authenticate against local passwords using sasl2-bin
  72 # Requires exim_uid to be a member of sasl group, see README.Debian.gz
  73 # plain_saslauthd_server:
  74 #   driver = plaintext
  75 #   public_name = PLAIN
  76 #   server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
  77 #   server_set_id = $auth2
  78 #   server_prompts = :
  79 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  80 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  81 #   .endif
  82 #
  83 # login_saslauthd_server:
  84 #   driver = plaintext
  85 #   public_name = LOGIN
  86 #   server_prompts = "Username:: : Password::"
  87 #   # don't send system passwords over unencrypted connections
  88 #   server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
  89 #   server_set_id = $auth1
  90 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  91 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  92 #   .endif
  93 #
  94 # ntlm_sasl_server:
  95 #   driver = cyrus_sasl
  96 #   public_name = NTLM
  97 #   server_realm = <short main hostname>
  98 #   server_set_id = $auth1
  99 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 100 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 101 #   .endif
 102 #
 103 # digest_md5_sasl_server:
 104 #   driver = cyrus_sasl
 105 #   public_name = DIGEST-MD5
 106 #   server_realm = <short main hostname>
 107 #   server_set_id = $auth1
 108 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 109 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 110 #   .endif
 111
 112 # Authentcate against cyrus-sasl
 113 # This is mainly untested, please report any problems to
 114 # pkg-exim4-users@lists.alioth.debian.org.
 115 # cram_md5_sasl_server:
 116 #   driver = cyrus_sasl
 117 #   public_name = CRAM-MD5
 118 #   server_realm = <short main hostname>
 119 #   server_set_id = $auth1
 120 #
 121 # plain_sasl_server:
 122 #   driver = cyrus_sasl
 123 #   public_name = PLAIN
 124 #   server_realm = <short main hostname>
 125 #   server_set_id = $auth1
 126 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 127 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 128 #   .endif
 129 #
 130 # login_sasl_server:
 131 #   driver = cyrus_sasl
 132 #   public_name = LOGIN
 133 #   server_realm = <short main hostname>
 134 #   server_set_id = $auth1
 135 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 136 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 137 #   .endif
 138
 139 # Authenticate against courier authdaemon
 140
 141 # This is now the (working!) example from
 142 # http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
 143 # Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
 144 # plain_courier_authdaemon:
 145 #   driver = plaintext
 146 #   public_name = PLAIN
 147 #   server_condition = \
 148 #     ${extract {ADDRESS} \
 149 #               {${readsocket{/var/run/courier/authdaemon/socket} \
 150 #               {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
 151 #               {yes} \
 152 #               fail}
 153 #   server_set_id = $auth2
 154 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 155 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 156 #   .endif
 157
 158 # login_courier_authdaemon:
 159 #   driver = plaintext
 160 #   public_name = LOGIN
 161 #   server_prompts = Username:: : Password::
 162 #   server_condition = \
 163 #     ${extract {ADDRESS} \
 164 #               {${readsocket{/var/run/courier/authdaemon/socket} \
 165 #               {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
 166 #               {yes} \
 167 #               fail}
 168 #   server_set_id = $auth1
 169 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 170 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 171 #   .endif
 172
 173 # This one is a bad hack to support the broken version 4.xx of
 174 # Microsoft Outlook Express which violates the RFCs by demanding
 175 # "250-AUTH=" instead of "250-AUTH ".
 176 # If your list of offered authenticators is other than PLAIN and LOGIN,
 177 # you need to adapt the public_name line manually.
 178 # It has to be the last authenticator to work and has not been tested
 179 # well. Use at your own risk.
 180 # See the thread entry point from
 181 # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
 182 # for the related discussion on the exim-users mailing list.
 183 # Thanks to Fred Viles for this great work.
 184
 185 # support_broken_outlook_express_4_server:
 186 #   driver = plaintext
 187 #   public_name = "\r\n250-AUTH=PLAIN LOGIN"
 188 #   server_prompts = User Name : Password
 189 #   server_condition = no
 190 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 191 #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 192 #   .endif
 193
 194 ##############
 195 # See /usr/share/doc/exim4-base/README.Debian.gz
 196 ##############
 197
 198 # These examples below are the equivalent for client side authentication.
 199 # They get the passwords from CONFDIR/passwd.client, whose format is
 200 # defined in exim4_passwd_client(5)
 201
 202 # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
 203 # only allow these mechanisms over encrypted connections by default.
 204 # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
 205 # clear text password authentication on all connections.
 206
 207 cram_md5:
 208   driver = cram_md5
 209   public_name = CRAM-MD5
 210   client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
 211   client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
 212
 213 # hcoop-change: Authenticate against either /etc/courier/exim.dat or
 214 # SASL for plain and login authenticators
 215
 216 hcoop_plain:
 217   driver = plaintext
 218   public_name = PLAIN
 219   server_condition = \
 220     ${if or {{crypteq {$3} \
 221                       {${extract{systempw}{${tr{${lookup{$2} \
 222                                  dbm{/etc/courier/exim.dat} \
 223                            }}{|}{ }}}}}} \
 224              {saslauthd {{$2}{$3}}}}}
 225   server_set_id = $2
 226
 227 hcoop_login:
 228   driver = plaintext
 229   public_name = LOGIN
 230   server_prompts = "Username:: : Password::"
 231   server_condition = \
 232     ${if or {{crypteq {$2} \
 233                       {${extract{systempw}{${tr{${lookup{$1} \
 234                                  dbm{/etc/courier/exim.dat} \
 235                            }}{|}{ }}}}}} \
 236              {saslauthd {{$1}{$2}}}}}
 237   server_set_id = $1
 238
 239 # this returns the matching line from passwd.client and doubles all ^
 240 PASSWDLINE=${sg{\
 241                 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
 242                 }\
 243                 {\\N[\\^]\\N}\
 244                 {^^}\
 245             }
 246
 247 # hcoop-change: Comment out plain and login authenticators
 248
 249 # plain:
 250 #   driver = plaintext
 251 #   public_name = PLAIN
 252 # .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
 253 #   client_send = "<; ${if !eq{$tls_cipher}{}\
 254 #                     {^${extract{1}{:}{PASSWDLINE}}\
 255 #                    ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
 256 #                  }fail}"
 257 # .else
 258 #   client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
 259 #                   ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
 260 # .endif
 261
 262 # login:
 263 #   driver = plaintext
 264 #   public_name = LOGIN
 265 # .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
 266 #   # Return empty string if not non-TLS AND looking up $host in passwd-file
 267 #   # yields a non-empty string; fail otherwise.
 268 #   client_send = "<; ${if and{\
 269 #                           {!eq{$tls_cipher}{}}\
 270 #                           {!eq{PASSWDLINE}{}}\
 271 #                          }\
 272 #                       {}fail}\
 273 #                  ; ${extract{1}{::}{PASSWDLINE}}\
 274 #                ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
 275 # .else
 276 #   # Return empty string if looking up $host in passwd-file yields a
 277 #   # non-empty string; fail otherwise.
 278 #   client_send = "<; ${if !eq{PASSWDLINE}{}\
 279 #                       {}fail}\
 280 #                  ; ${extract{1}{::}{PASSWDLINE}}\
 281 #                ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
 282 # .endif