You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
255 lines
9.4 KiB
Plaintext
255 lines
9.4 KiB
Plaintext
|
|
### auth/30_exim4-config_examples
|
|
#################################
|
|
|
|
# The examples below are for server side authentication, when the
|
|
# local exim is SMTP server and clients authenticate to the local exim.
|
|
|
|
# They allow two styles of plain-text authentication against an
|
|
# CONFDIR/passwd file whose syntax is described in exim4_passwd(5).
|
|
|
|
# Hosts that are allowed to use AUTH are defined by the
|
|
# auth_advertise_hosts option in the main configuration. The default is
|
|
# "*", which allows authentication to all hosts over all kinds of
|
|
# connections if there is at least one authenticator defined here.
|
|
# Authenticators which rely on unencrypted clear text passwords don't
|
|
# advertise on unencrypted connections by default. Thus, it might be
|
|
# wise to set up TLS to allow encrypted connections. If TLS cannot be
|
|
# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
|
|
# advertise unencrypted clear text password based authenticators on all
|
|
# connections. As this is severely reducing security, using TLS is
|
|
# preferred over allowing clear text password based authenticators on
|
|
# unencrypted connections.
|
|
|
|
# PLAIN authentication has no server prompts. The client sends its
|
|
# credentials in one lump, containing an authorization ID (which we do not
|
|
# use), an authentication ID, and a password. The latter two appear as
|
|
# $auth2 and $auth3 in the configuration and should be checked against a
|
|
# valid username and password. In a real configuration you would typically
|
|
# use $auth2 as a lookup key, and compare $auth3 against the result of the
|
|
# lookup, perhaps using the crypteq{}{} condition.
|
|
|
|
# plain_server:
|
|
# driver = plaintext
|
|
# public_name = PLAIN
|
|
# server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
|
|
# server_set_id = $auth2
|
|
# server_prompts = :
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
|
|
# LOGIN authentication has traditional prompts and responses. There is no
|
|
# authorization ID in this mechanism, so unlike PLAIN the username and
|
|
# password are $auth1 and $auth2. Apart from that you can use the same
|
|
# server_condition setting for both authenticators.
|
|
|
|
# login_server:
|
|
# driver = plaintext
|
|
# public_name = LOGIN
|
|
# server_prompts = "Username:: : Password::"
|
|
# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
|
|
# server_set_id = $auth1
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
#
|
|
# cram_md5_server:
|
|
# driver = cram_md5
|
|
# public_name = CRAM-MD5
|
|
# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
|
|
# server_set_id = $auth1
|
|
|
|
# Here is an example of CRAM-MD5 authentication against PostgreSQL:
|
|
#
|
|
# psqldb_auth_server:
|
|
# driver = cram_md5
|
|
# public_name = CRAM-MD5
|
|
# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
|
|
# server_set_id = $auth1
|
|
|
|
# Authenticate against local passwords using sasl2-bin
|
|
# Requires exim_uid to be a member of sasl group, see README.Debian.gz
|
|
# plain_saslauthd_server:
|
|
# driver = plaintext
|
|
# public_name = PLAIN
|
|
# server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
|
|
# server_set_id = $auth2
|
|
# server_prompts = :
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
#
|
|
# login_saslauthd_server:
|
|
# driver = plaintext
|
|
# public_name = LOGIN
|
|
# server_prompts = "Username:: : Password::"
|
|
# # don't send system passwords over unencrypted connections
|
|
# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
|
|
# server_set_id = $auth1
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
#
|
|
# ntlm_sasl_server:
|
|
# driver = cyrus_sasl
|
|
# public_name = NTLM
|
|
# server_realm = <short main hostname>
|
|
# server_set_id = $auth1
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
#
|
|
# digest_md5_sasl_server:
|
|
# driver = cyrus_sasl
|
|
# public_name = DIGEST-MD5
|
|
# server_realm = <short main hostname>
|
|
# server_set_id = $auth1
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
|
|
# Authentcate against cyrus-sasl
|
|
# This is mainly untested, please report any problems to
|
|
# pkg-exim4-users@lists.alioth.debian.org.
|
|
# cram_md5_sasl_server:
|
|
# driver = cyrus_sasl
|
|
# public_name = CRAM-MD5
|
|
# server_realm = <short main hostname>
|
|
# server_set_id = $auth1
|
|
#
|
|
# plain_sasl_server:
|
|
# driver = cyrus_sasl
|
|
# public_name = PLAIN
|
|
# server_realm = <short main hostname>
|
|
# server_set_id = $auth1
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
#
|
|
# login_sasl_server:
|
|
# driver = cyrus_sasl
|
|
# public_name = LOGIN
|
|
# server_realm = <short main hostname>
|
|
# server_set_id = $auth1
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
|
|
# Authenticate against courier authdaemon
|
|
|
|
# This is now the (working!) example from
|
|
# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
|
|
# Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
|
|
# plain_courier_authdaemon:
|
|
# driver = plaintext
|
|
# public_name = PLAIN
|
|
# server_condition = \
|
|
# ${extract {ADDRESS} \
|
|
# {${readsocket{/var/run/courier/authdaemon/socket} \
|
|
# {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
|
|
# {yes} \
|
|
# fail}
|
|
# server_set_id = $auth2
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
|
|
# login_courier_authdaemon:
|
|
# driver = plaintext
|
|
# public_name = LOGIN
|
|
# server_prompts = Username:: : Password::
|
|
# server_condition = \
|
|
# ${extract {ADDRESS} \
|
|
# {${readsocket{/var/run/courier/authdaemon/socket} \
|
|
# {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
|
|
# {yes} \
|
|
# fail}
|
|
# server_set_id = $auth1
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
|
|
# This one is a bad hack to support the broken version 4.xx of
|
|
# Microsoft Outlook Express which violates the RFCs by demanding
|
|
# "250-AUTH=" instead of "250-AUTH ".
|
|
# If your list of offered authenticators is other than PLAIN and LOGIN,
|
|
# you need to adapt the public_name line manually.
|
|
# It has to be the last authenticator to work and has not been tested
|
|
# well. Use at your own risk.
|
|
# See the thread entry point from
|
|
# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
|
|
# for the related discussion on the exim-users mailing list.
|
|
# Thanks to Fred Viles for this great work.
|
|
|
|
# support_broken_outlook_express_4_server:
|
|
# driver = plaintext
|
|
# public_name = "\r\n250-AUTH=PLAIN LOGIN"
|
|
# server_prompts = User Name : Password
|
|
# server_condition = no
|
|
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
|
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
|
|
# .endif
|
|
|
|
##############
|
|
# See /usr/share/doc/exim4-base/README.Debian.gz
|
|
##############
|
|
|
|
# These examples below are the equivalent for client side authentication.
|
|
# They get the passwords from CONFDIR/passwd.client, whose format is
|
|
# defined in exim4_passwd_client(5)
|
|
|
|
# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
|
|
# only allow these mechanisms over encrypted connections by default.
|
|
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
|
|
# clear text password authentication on all connections.
|
|
|
|
cram_md5:
|
|
driver = cram_md5
|
|
public_name = CRAM-MD5
|
|
client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
|
|
client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
|
|
|
|
# this returns the matching line from passwd.client and doubles all ^
|
|
PASSWDLINE=${sg{\
|
|
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
|
|
}\
|
|
{\\N[\\^]\\N}\
|
|
{^^}\
|
|
}
|
|
|
|
plain:
|
|
driver = plaintext
|
|
public_name = PLAIN
|
|
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
|
|
client_send = "<; ${if !eq{$tls_out_cipher}{}\
|
|
{^${extract{1}{:}{PASSWDLINE}}\
|
|
^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
|
|
}fail}"
|
|
.else
|
|
client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
|
|
^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
|
|
.endif
|
|
|
|
login:
|
|
driver = plaintext
|
|
public_name = LOGIN
|
|
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
|
|
# Return empty string if not non-TLS AND looking up $host in passwd-file
|
|
# yields a non-empty string; fail otherwise.
|
|
client_send = "<; ${if and{\
|
|
{!eq{$tls_out_cipher}{}}\
|
|
{!eq{PASSWDLINE}{}}\
|
|
}\
|
|
{}fail}\
|
|
; ${extract{1}{::}{PASSWDLINE}}\
|
|
; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
|
|
.else
|
|
# Return empty string if looking up $host in passwd-file yields a
|
|
# non-empty string; fail otherwise.
|
|
client_send = "<; ${if !eq{PASSWDLINE}{}\
|
|
{}fail}\
|
|
; ${extract{1}{::}{PASSWDLINE}}\
|
|
; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
|
|
.endif
|