| Rev | Author | # | Line |
|---|---|---|---|
| 13 | CraigBox | 1 | How I set up exim(8) [SMTP] Auth under Debian, in two parts: the server and the client. |
| 2 | |||
| 3 | !! Server Setup | ||
| 4 | |||
| 5 | First make sure exim is working correctly doing everything but relaying. | ||
| 6 | |||
| 7 | Then create a /etc/pam.d/exim with: | ||
| 20 | NickClifford | 8 | <pre> |
| 13 | CraigBox | 9 | auth required pam_unix.so |
| 10 | account required pam_permit.so | ||
| 11 | session required pam_permit.so | ||
| 20 | NickClifford | 12 | </pre> |
| 13 | CraigBox | 13 | |
| 14 | You can replace pam_unix.so with pam_permit.so for testing __but make sure you put it back when you are done__ | ||
| 15 | |||
| 16 | Then you need to edit /etc/exim/exim.conf and look for the authentication configuration section and add these two stanzas: | ||
| 17 | |||
| 20 | NickClifford | 18 | <pre> |
| 13 | CraigBox | 19 | plain: |
| 20 | driver = plaintext | ||
| 21 | public_name = PLAIN | ||
| 16 | DanielLawson | 22 | server_condition = "${if pam {$2:$3}{yes}{no}}" |
| 23 | server_set_id = $2 | ||
| 13 | CraigBox | 24 | |
| 25 | login: | ||
| 26 | driver = plaintext | ||
| 27 | public_name = LOGIN | ||
| 28 | server_prompts = "WLUG Username:: : WLUG Password::" | ||
| 29 | server_condition = "${if pam {$1:$2}{yes}{no}}" | ||
| 30 | server_set_id = $1 | ||
| 20 | NickClifford | 31 | </pre> |
| 13 | CraigBox | 32 | |
| 33 | These are both plain text drivers, you may wish to investigate using other drivers. Note, this won't work if your login or password contain :'s | ||
| 16 | DanielLawson | 34 | |
| 35 | __NOTE__: the above example refers to $2 and $3 for PLAIN auth, and $1 and $2 for LOGIN auth. This is correct! It is the only way PLAIN auth will work. If you find PLAIN auth isn't working, check that you are using $2 and $3 for the user and secret tokens, and not $1 and $2 | ||
| 13 | CraigBox | 36 | |
| 17 | NickJohnson | 37 | In Exim 3, you will also need to make sure you have |
| 20 | NickClifford | 38 | <pre> |
| 13 | CraigBox | 39 | host_auth_accept_relay = * |
| 20 | NickClifford | 40 | </pre> |
| 13 | CraigBox | 41 | (which is the default in debian) |
| 17 | NickJohnson | 42 | |
| 43 | this is accomplished in Exim 4 with | ||
| 20 | NickClifford | 44 | <pre> |
| 18 | KenDowns | 45 | hostlist host_auth_accept_relay = * |
| 20 | NickClifford | 46 | </pre> |
| 17 | NickJohnson | 47 | in the main section of the config file, which is there by default in FreeBSD. |
| 13 | CraigBox | 48 | |
| 49 | and you will need to add | ||
| 20 | NickClifford | 50 | <pre> |
| 13 | CraigBox | 51 | exim_user = root |
| 20 | NickClifford | 52 | </pre> |
| 13 | CraigBox | 53 | since you can't check passwords unless you are root, so you need to run exim as root. Pity. |
| 54 | |||
| 18 | KenDowns | 55 | Note however that if you run exim as root, the default config may disallow remote SMTP delivery when running as root, which kills the whole show. If this is the case, then when you send a message using the MUA you will see no error, but in the log you will see "User 0 set for remote_smtp transport is on the never_users list" and the message will get dropped. |
| 56 | |||
| 57 | To get around this, set the group ownership of /etc/shadow to something like "shadow" or some other group used only for this purpose, make the file group readable, as in: | ||
| 20 | NickClifford | 58 | <pre> |
| 18 | KenDowns | 59 | # groupadd shadow |
| 60 | # chgrp shadow /etc/shadow | ||
| 61 | # chmod g+r /etc/shadow | ||
| 20 | NickClifford | 62 | </pre> |
| 18 | KenDowns | 63 | |
| 64 | then add these lines to exim.conf (and remove exim_user=root) | ||
| 20 | NickClifford | 65 | <pre> |
| 13 | CraigBox | 66 | exim_user = mail |
| 67 | exim_group = shadow | ||
| 20 | NickClifford | 68 | </pre> |
| 18 | KenDowns | 69 | |
| 70 | |||
| 17 | NickJohnson | 71 | |
| 72 | !!! Testing | ||
| 13 | CraigBox | 73 | |
| 74 | Now restart exim and type | ||
| 20 | NickClifford | 75 | <pre> |
| 13 | CraigBox | 76 | exim -bh localhost |
| 20 | NickClifford | 77 | </pre> |
| 13 | CraigBox | 78 | try the commands |
| 20 | NickClifford | 79 | <pre> |
| 13 | CraigBox | 80 | EHLO localhost |
| 20 | NickClifford | 81 | </pre> |
| 13 | CraigBox | 82 | exim should produce at least one line saying |
| 20 | NickClifford | 83 | <pre> |
| 15 | TimCareySmith | 84 | 250-AUTH LOGIN PLAIN |
| 20 | NickClifford | 85 | </pre> |
| 13 | CraigBox | 86 | then type |
| 20 | NickClifford | 87 | <pre> |
| 13 | CraigBox | 88 | AUTH LOGIN |
| 20 | NickClifford | 89 | </pre> |
| 13 | CraigBox | 90 | exim will give you a base 64 encoded prompt ("WLUG Username:" from above). You then type in your username base64 encoded, it will prompt you with a base64 encoded prompt for your password, you enter the base64 encoded version of your password and it should say "Autentication successful" yay! type |
| 20 | NickClifford | 91 | <pre> |
| 13 | CraigBox | 92 | QUIT |
| 20 | NickClifford | 93 | </pre> |
| 13 | CraigBox | 94 | to quit. |
| 95 | |||
| 96 | to investigate: | ||
| 97 | * using CRAM-MD5 | ||
| 98 | |||
| 99 | ---- | ||
| 100 | !! EximSmtpAuth with an [LDAP] Backend: | ||
| 101 | |||
| 102 | I use an [LDAP] backend for my mail, which works ok - except for some reason exim's smtp auth feature dies when trying to use pam_ldap. I figured I may as well use a native ldap query anyway, so here's what I came up with: | ||
| 103 | |||
| 104 | Exim is basically set up as mentioned above, except I still run exim as 'mail', not as 'root'. In this first instance, all my user accounts are under 'ou=People,dc=wlug,dc=org,dc=nz'. | ||
| 105 | I have 'BASEDN' defined within exim as being my base dn, eg: | ||
| 20 | NickClifford | 106 | <pre> |
| 13 | CraigBox | 107 | BASEDN=dc=wlug,dc=org,dc=nz |
| 108 | |||
| 109 | login: | ||
| 110 | driver = plaintext | ||
| 111 | public_name = LOGIN | ||
| 112 | server_prompts = "LDAP Username:: : LDAP Password::" | ||
| 113 | server_condition = "${lookup ldap{user=uid=$1,ou=People,BASEDN pass=$2 \ | ||
| 114 | ldap://localhost/BASEDN?uid?sub?(uid=$1)}{yes}fail}" | ||
| 115 | server_set_id = $1 | ||
| 20 | NickClifford | 116 | </pre> |
| 13 | CraigBox | 117 | |
| 118 | This makes use of the ldap lookups ability to set the binddn and password via the 'user' and 'pass' directives, before the ldap url. This means that the ldap lookup binds as the connecting user - if this succeeds, then the user/pass is valid. If it fails, then its not. | ||
| 119 | |||
| 120 | I also have a more complicated setup which has virtual domains, and each domain is under o=$domain,ou=Domains,BASEDN. UIDs are stored in the form user@domain (ie, thats what they login with). Here's how i got smtp auth working with that: | ||
| 121 | |||
| 20 | NickClifford | 122 | <pre> |
| 13 | CraigBox | 123 | login: |
| 124 | driver = plaintext | ||
| 125 | public_name = LOGIN | ||
| 126 | server_prompts = "LDAP Username:: : LDAP Password::" | ||
| 127 | server_condition = "${lookup ldap{user=${lookup \ | ||
| 128 | ldapdn{ldap://localhost/ou=Domains,BASEDN?dn?sub?(uid=$1)}} pass=$2 \ | ||
| 129 | ldap://localhost/ou=Domains,BASEDN?uid?sub?(uid=$1)}{yes}fail}" | ||
| 130 | server_set_id = $1 | ||
| 20 | NickClifford | 131 | </pre> |
| 13 | CraigBox | 132 | |
| 133 | This one differs slightly, in that in order to find the binddn, i first had to do a query to find the dn of the uid relating to user@domain.co.nz. As this is stored in o=$domain,ou=Domains..., and the $domain wont work in this case (its only populated when it gets an incoming mail, not for an auth session), I either needed a regex to split $1 into $user and $domain, or else to do this extra query. It works out ok though :). Note that the internal query is of type 'ldapdn' - this returns the dn of the result, and assumes there is only one match for uid=$1. | ||
| 14 | TomConstans | 134 | |
| 135 | ---- | ||
| 136 | !! another setup | ||
| 137 | something maybe simpler, that supports multiple virtual domains: | ||
| 138 | |||
| 139 | login: | ||
| 20 | NickClifford | 140 | <pre> |
| 14 | TomConstans | 141 | driver = plaintext |
| 142 | public_name = LOGIN | ||
| 143 | server_prompts = "LDAP Username:: : LDAP Password::" | ||
| 144 | server_condition = ${if ldapauth { user="${lookup ldapdn{ ldap://LDAPSERVER/BASEDN?dn?sub?(mail=$1)}}" pass=${quote:$2} ldap://LDAPSERVER/}{yes}{no}} | ||
| 145 | server_set_id = $1 | ||
| 20 | NickClifford | 146 | </pre> |
| 14 | TomConstans | 147 | |
| 22 | NickClifford | 148 | the ldapdn lookup retrieves the full dn of user identified by is "mail" ( this attribute can of course be changed ) and attempt a bind to the ldapserver, with the given dn. if it succeeds, then smtp auth is considered successful |
| 13 | CraigBox | 149 | |
| 150 | ---- | ||
| 151 | !! Client Setup | ||
| 152 | All mail generated at my house gets sent to exim which runs on the router connected to my DSL line, my ISPs smarthost sucks (for various reasons), and being on a dynamic IP delivering directly is not such a smart idea. The solution is to smarthost to another server somewhere that will accept my mail using SMTP AUTH. In this case exim is acting as an SMTP AUTH client rather than a server. | ||
| 153 | |||
| 154 | You need the following configuration snippets, unfortunately the notes in the config file seem to suggest that you can only be a client to one SMTP AUTH server (or all the servers you authenticate to need to use the same username and password). | ||
| 155 | |||
| 156 | The setup is very simple, add the following line to your remote_smtp transport | ||
| 20 | NickClifford | 157 | <pre> |
| 13 | CraigBox | 158 | authenticate_hosts = <your smarthost here> |
| 20 | NickClifford | 159 | </pre> |
| 13 | CraigBox | 160 | |
| 161 | Then you simply need to add the following stanza to the authentication section at the end of your config file. | ||
| 20 | NickClifford | 162 | <pre> |
| 13 | CraigBox | 163 | login: |
| 164 | driver = plaintext | ||
| 165 | public_name = LOGIN | ||
| 166 | client_send = ": <your username> : <your password>" | ||
| 20 | NickClifford | 167 | </pre> |
| 13 | CraigBox | 168 | |
| 169 | You probably also want to be using STARTTLS to encrypt the connection, otherwise your password is sent in plaintext. Under debian you need to make sure you have the exim-tls package installed. | ||
| 19 | RobinGilham | 170 | |
| 171 | For exim4 on Debian 3.1: | ||
| 172 | Some smarthosts don't support encrypted login's so you have to enable plaintext logins. Create a file /etc/exim4/passwd.client containing the following: | ||
| 20 | NickClifford | 173 | <pre> |
| 19 | RobinGilham | 174 | yourmailserver:yourlogin:yourpassword |
| 20 | NickClifford | 175 | </pre> |
| 19 | RobinGilham | 176 | |
| 177 | then add the line following 2 lines somewhere near the top of exim4.conf.template | ||
| 20 | NickClifford | 178 | <pre> |
| 179 | # allow plain text smtp login | ||
| 19 | RobinGilham | 180 | AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS=1 |
| 20 | NickClifford | 181 | </pre> |
| 19 | RobinGilham | 182 | |
| 183 | Update the configuration files by running | ||
| 20 | NickClifford | 184 | <pre> |
| 19 | RobinGilham | 185 | update-exim4.conf |
| 20 | NickClifford | 186 | </pre> |
| 19 | RobinGilham | 187 | Your server will now login to the smarthost using plaintext username and password as specified in the passwd.client file |
| 13 | CraigBox | 188 | |
| 189 | !!Server Prompts | ||
| 190 | |||
| 191 | Some clients respond poorly to server prompts that don't match what they consider "correct". This problem will manifest itself by some clients being able to auth, and others not. to be safe, set | ||
| 192 | |||
| 20 | NickClifford | 193 | <pre> |
| 13 | CraigBox | 194 | server_prompts="Username:: : Password::" |
| 20 | NickClifford | 195 | </pre> |
| 13 | CraigBox | 196 | ---- |
| 197 | An alternative way of achieving a similar end (allowing hosts to relay through you for a set period of time) is to use [POPbeforeSMTP] | ||
| 198 | See also [SMTPBestPractises] |
lib/plugin/WlugLicense.php (In template 'html'):99: Warning: Invalid argument supplied for foreach()
lib/plugin/WlugLicense.php (In template 'html'):111: Warning: in_array() [<a href='function.in-array'>function.in-array</a>]: Wrong datatype for second argument