### auth/30_exim4-config_examples ################################# # The examples below are for server side authentication # They allow two styles of plain-text authentication against an # CONFDIR/passwd file which should have user names in the first column # and crypted passwords in the second. The columns need to be separated # by ':'. Please note that apache's htpasswd program generates a file # in the correct format, but uses a different crypt scheme. So, # htpassword will _NOT_ work for exim4. # For CRAM-MD5 exim needs access to the UNENCRYPTED passwd - the example # below assumes it is available in the third column of CONFDIR/passwd # Hosts that are allowed to use AUTH are defined by the # auth_advertise_hosts option in the main configuration. The default is # "*", which allows authentication to all hosts over all kinds of # connections if there is at least one authenticator defined here. # Authenticators which rely on unencrypted clear text passwords don't # advertise on unencrypted connections by default. You can set # AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to advertise unencrypted clear text # password based authenticators on all connections. # plain_server: # driver = plaintext # public_name = PLAIN # server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" # server_set_id = $2 # server_prompts = : # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif # # login_server: # driver = plaintext # public_name = LOGIN # server_prompts = "Username:: : Password::" # server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" # server_set_id = $1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif # # cram_md5_server: # driver = cram_md5 # public_name = CRAM-MD5 # server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}} # server_set_id = $1 # Here is an example of CRAM-MD5 authentication against PostgreSQL: # # psqldb_auth_server: # driver = cram_md5 # public_name = CRAM-MD5 # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$1}'}{$value}fail} # server_set_id = $1 # Authenticate against local passwords using sasl2-bin # Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH # plain_saslauthd_server: # driver = plaintext # public_name = PLAIN # server_condition = ${if saslauthd{{$2}{$3}}{1}{0}} # server_set_id = $2 # server_prompts = : # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif # # login_saslauthd_server: # driver = plaintext # public_name = LOGIN # server_prompts = "Username:: : Password::" # # don't send system passwords over unencrypted connections # server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}} # server_condition = ${if saslauthd{{$1}{$2}}{1}{0}} # server_set_id = $1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif # # ntlm_sasl_server: # driver = cyrus_sasl # public_name = NTLM # server_realm = # server_set_id = $1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif # # digest_md5_sasl_server: # driver = cyrus_sasl # public_name = DIGEST-MD5 # server_realm = # server_set_id = $1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif # Authentcate against cyrus-sasl # This is mainly untested, please report any problems to # pkg-exim4-users@lists.alioth.debian.org. If you have success with # using these authenticators until May 1 2005, please report as well. # cram_md5_sasl_server: # driver = cyrus_sasl # public_name = CRAM-MD5 # server_realm = # server_set_id = $1 # # plain_sasl_server: # driver = cyrus_sasl # public_name = PLAIN # server_realm = # server_set_id = $1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif # # login_sasl_server: # driver = cyrus_sasl # public_name = LOGIN # server_realm = # server_set_id = $1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif # Authenticate against courier authdaemon # This has been copied from # http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php # (thanks to r. i. pienaar). This has been reported as "working" with # the Debian packages by Sven Geggus. Possible pitfall: access rights # on /var/run/courier/authdaemon/socket. # plain_courier_authdaemon: # driver = plaintext # public_name = PLAIN # server_condition = \ # ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\ # {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n}}}{FAIL\n}{no}{yes}} # server_set_id = $2 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif # # login_courier_authdaemon: # driver = plaintext # public_name = LOGIN # server_prompts = Username:: : Password:: # server_condition = ${if eq {${readsocket{/var/run/courier/authdaemon/socket} \ # {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n}}}{FAIL\n}{no}{yes}} # server_set_id = $1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif # This one is a bad hack to support the broken version 4.xx of # Microsoft Outlook Express which violates the RFCs by demanding # "250-AUTH=" instead of "250-AUTH ". # It has to be the last authenticator to work and has not been tested # well. Use at your own risk. # See the thread entry point from # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html # for the related discussion on the exim-users mailing list. # Thanks to Fred Viles for this great work. # support_broken_outlook_express_4_server: # driver = plaintext # public_name = "\r\n250-AUTH=PLAIN LOGIN" # server_prompts = User Name : Password # server_condition = no ############## # See /usr/share/doc/exim4-base/README.SMTP-AUTH ############## # These examples below are the equivalent for client side authentication. # They get the passwords from CONFDIR/passwd.client. This file should have # three columns separated by colons, the first contains the name of the # mailserver to authenticate against, the second the username and the third # contains the password. ### # example for CONFDIR/passwd.client ### mail.server:blah:secret ### # default entry: ### *:bar:foo # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we # only allow these mechanisms over encrypted connections by default. # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted # clear text password authentication on all connections. cram_md5: driver = cram_md5 public_name = CRAM-MD5 client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} plain: driver = plaintext public_name = PLAIN .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS client_send = "${if !eq{$tls_cipher}{}{\ ^${extract{1}{::}\ {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\ ^${extract{2}{::}\ {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\ }fail}" .else client_send = "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" .endif login: driver = plaintext public_name = LOGIN .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS client_send = "${if !eq{$tls_cipher}{}{}fail}\ : ${extract{1}{::}\ {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \ : ${extract{2}{::}\ {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" .else client_send = ": ${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" .endif