2 ### auth/30_exim4-config_examples
3 #################################
5 # The examples below are for server side authentication, when the
6 # local exim is SMTP server and clients authenticate to the local exim.
8 # They allow two styles of plain-text authentication against an
9 # CONFDIR/passwd file whose syntax is described in exim_passwd(5).
11 # Hosts that are allowed to use AUTH are defined by the
12 # auth_advertise_hosts option in the main configuration. The default is
13 # "*", which allows authentication to all hosts over all kinds of
14 # connections if there is at least one authenticator defined here.
15 # Authenticators which rely on unencrypted clear text passwords don't
16 # advertise on unencrypted connections by default. Thus, it might be
17 # wise to set up TLS to allow encrypted connections. If TLS cannot be
18 # used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
19 # advertise unencrypted clear text password based authenticators on all
20 # connections. As this is severely reducing security, using TLS is
21 # preferred over allowing clear text password based authenticators on
22 # unencrypted connections.
24 # PLAIN authentication has no server prompts. The client sends its
25 # credentials in one lump, containing an authorization ID (which we do not
26 # use), an authentication ID, and a password. The latter two appear as
27 # $auth2 and $auth3 in the configuration and should be checked against a
28 # valid username and password. In a real configuration you would typically
29 # use $auth2 as a lookup key, and compare $auth3 against the result of the
30 # lookup, perhaps using the crypteq{}{} condition.
35 # server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
36 # server_set_id = $auth2
38 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
39 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
42 # LOGIN authentication has traditional prompts and responses. There is no
43 # authorization ID in this mechanism, so unlike PLAIN the username and
44 # password are $auth1 and $auth2. Apart from that you can use the same
45 # server_condition setting for both authenticators.
50 # server_prompts = "Username:: : Password::"
51 # server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
52 # server_set_id = $auth1
53 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
54 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
59 # public_name = CRAM-MD5
60 # server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
61 # server_set_id = $auth1
63 # Here is an example of CRAM-MD5 authentication against PostgreSQL:
67 # public_name = CRAM-MD5
68 # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
69 # server_set_id = $auth1
71 # Authenticate against local passwords using sasl2-bin
72 # Requires exim_uid to be a member of sasl group, see README.Debian.gz
73 # plain_saslauthd_server:
76 # server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
77 # server_set_id = $auth2
79 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
80 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
83 # login_saslauthd_server:
86 # server_prompts = "Username:: : Password::"
87 # # don't send system passwords over unencrypted connections
88 # server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
89 # server_set_id = $auth1
90 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
91 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
97 # server_realm = <short main hostname>
98 # server_set_id = $auth1
99 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
100 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
103 # digest_md5_sasl_server:
104 # driver = cyrus_sasl
105 # public_name = DIGEST-MD5
106 # server_realm = <short main hostname>
107 # server_set_id = $auth1
108 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
109 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
112 # Authentcate against cyrus-sasl
113 # This is mainly untested, please report any problems to
114 # pkg-exim4-users@lists.alioth.debian.org.
115 # cram_md5_sasl_server:
116 # driver = cyrus_sasl
117 # public_name = CRAM-MD5
118 # server_realm = <short main hostname>
119 # server_set_id = $auth1
122 # driver = cyrus_sasl
123 # public_name = PLAIN
124 # server_realm = <short main hostname>
125 # server_set_id = $auth1
126 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
127 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
131 # driver = cyrus_sasl
132 # public_name = LOGIN
133 # server_realm = <short main hostname>
134 # server_set_id = $auth1
135 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
136 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
139 # Authenticate against courier authdaemon
141 # This is now the (working!) example from
142 # http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
143 # Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
144 # plain_courier_authdaemon:
146 # public_name = PLAIN
147 # server_condition = \
148 # ${extract {ADDRESS} \
149 # {${readsocket{/var/run/courier/authdaemon/socket} \
150 # {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
153 # server_set_id = $auth2
154 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
155 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
158 # login_courier_authdaemon:
160 # public_name = LOGIN
161 # server_prompts = Username:: : Password::
162 # server_condition = \
163 # ${extract {ADDRESS} \
164 # {${readsocket{/var/run/courier/authdaemon/socket} \
165 # {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
168 # server_set_id = $auth1
169 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
170 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
173 # This one is a bad hack to support the broken version 4.xx of
174 # Microsoft Outlook Express which violates the RFCs by demanding
175 # "250-AUTH=" instead of "250-AUTH ".
176 # If your list of offered authenticators is other than PLAIN and LOGIN,
177 # you need to adapt the public_name line manually.
178 # It has to be the last authenticator to work and has not been tested
179 # well. Use at your own risk.
180 # See the thread entry point from
181 # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
182 # for the related discussion on the exim-users mailing list.
183 # Thanks to Fred Viles for this great work.
185 # support_broken_outlook_express_4_server:
187 # public_name = "\r\n250-AUTH=PLAIN LOGIN"
188 # server_prompts = User Name : Password
189 # server_condition = no
190 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
191 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
195 # See /usr/share/doc/exim4-base/README.Debian.gz
198 # These examples below are the equivalent for client side authentication.
199 # They get the passwords from CONFDIR/passwd.client, whose format is
200 # defined in exim4_passwd_client(5)
202 # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
203 # only allow these mechanisms over encrypted connections by default.
204 # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
205 # clear text password authentication on all connections.
209 public_name = CRAM-MD5
210 client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
211 client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
213 # hcoop-change: Authenticate against either /etc/courier/exim.dat or
214 # SASL for plain and login authenticators
221 ${if or {{crypteq {$auth3} \
222 {${extract{systempw}{${tr{${lookup{$auth2} \
223 dbm{/etc/courier/exim.dat} \
225 {saslauthd {{$auth2}{$auth3}{exim4}}}}}
226 server_set_id = $auth2
227 server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
232 server_prompts = "Username:: : Password::"
234 ${if or {{crypteq {$auth2} \
235 {${extract{systempw}{${tr{${lookup{$auth1} \
236 dbm{/etc/courier/exim.dat} \
238 {saslauthd {{$auth1}{$auth2}{exim4}}}}}
239 server_set_id = $auth1
240 server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
242 # this returns the matching line from passwd.client and doubles all ^
244 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
250 # hcoop-change: Comment out plain and login authenticators
254 # public_name = PLAIN
255 # .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
256 # client_send = "<; ${if !eq{$tls_cipher}{}\
257 # {^${extract{1}{:}{PASSWDLINE}}\
258 # ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
261 # client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
262 # ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
267 # public_name = LOGIN
268 # .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
269 # # Return empty string if not non-TLS AND looking up $host in passwd-file
270 # # yields a non-empty string; fail otherwise.
271 # client_send = "<; ${if and{\
272 # {!eq{$tls_cipher}{}}\
273 # {!eq{PASSWDLINE}{}}\
276 # ; ${extract{1}{::}{PASSWDLINE}}\
277 # ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
279 # # Return empty string if looking up $host in passwd-file yields a
280 # # non-empty string; fail otherwise.
281 # client_send = "<; ${if !eq{PASSWDLINE}{}\
283 # ; ${extract{1}{::}{PASSWDLINE}}\
284 # ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"