How I set up exim(8) SMTP Auth under Debian.

First make sure exim is working correctly doing everything but relaying.

Then create a /etc/pam.d/exim with

auth required pam_unix.so account required pam_permit.so session required pam_permit.so

You can replace pam_unix.so with pam_permit.so for testing but make sure you put it back when you are done

Then you need to edit /etc/exim/exim.conf and look for the authentication configuration section and add these two stanzas

plain

driver = plaintext public_name = PLAIN server_condition = "${if pam {$1:$2}{yes}{no}}" server_set_id = $1

login

driver = plaintext public_name = LOGIN server_prompts = "WLUG Username:: : WLUG Password::" server_condition = "${if pam {$1:$2}{yes}{no}}" server_set_id = $1

These are both plain text drivers, you may wish to investigate using other drivers. Note, this won't work if your login or password contain :'s

You will also need to make sure you have

host_auth_accept_relay = *

(which is the default in debian)

and you will need to add

exim_user = root

since you can't check passwords unless you are root, so you need to run exim as root. Pity.

Now restart exim and type

exim -bh localhost

try the commands

EHELO localhost

exim should produce at least one line saying

AUTH LOGIN PLAIN

then type

AUTH LOGIN

exim will give you a base 64 encoded prompt ("WLUG Username:" from above). You then type in your username base64 encoded, it will prompt you with a base64 encoded prompt for your password, you enter the base64 encoded version of your password and it should say "Autentication successful" yay! type

QUIT

to quit.

to investigate:

• using CRAM-MD5

EximSmtpAuth with an LDAP Backend:

I use an LDAP backend for my mail, which works ok - except for some reason exim's smtp auth feature dies when trying to use pam_ldap. I figured I may as well use a native ldap query anyway, so here's what I came up with:

Exim is basically set up as mentioned above, except I still run exim as 'mail', not as 'root'. In this first instance, all my user accounts are under 'ou=People,dc=wlug,dc=org,dc=nz'.

I have 'BASEDN' defined within exim as being my base dn, eg

BASEDN=dc=wlug,dc=org,dc=nz

login

driver = plaintext public_name = LOGIN server_prompts = "LDAP Username:: : LDAP Password::" server_condition = "${lookup ldap{user=uid=$1,ou=People,BASEDN pass=$2 ldap://localhost/BASEDN?uid?sub?(uid=$1)}{yes}fail}" server_set_id = $1

This makes use of the ldap lookups ability to set the binddn and password via the 'user' and 'pass' directives, before the ldap url. This means that the ldap lookup binds as the connecting user - if this succeeds, then the user/pass is valid. If it fails, then its not.

I also have a more complicated setup which has virtual domains, and each domain is under o=$domain,ou=Domains,BASEDN. UIDs are stored in the form user@domain (ie, thats what they login with). Here's how i got smtp auth working with that

login

driver = plaintext public_name = LOGIN server_prompts = "LDAP Username:: : LDAP Password::" server_condition = "${lookup ldap{user=${lookup ldapdn{ldap://localhost/ou=Domains,BASEDN?dn?sub?(uid=$1)}} pass=$2 ldap://localhost/ou=Domains,BASEDN?uid?sub?(uid=$1)}{yes}fail}" server_set_id = $1

This one differs slightly, in that in order to find the binddn, i first had to do a query to find the dn of the uid relating to user@domain.co.nz. As this is stored in o=$domain,ou=Domains..., and the $domain wont work in this case (its only populated when it gets an incoming mail, not for an auth session), I either needed a regex to split $1 into $user and $domain, or else to do this extra query. It works out ok though :). Note that the internal query is of type 'ldapdn' - this returns the dn of the result, and assumes there is only one match for uid=$1.

An alternative way of achieving a similar end (allowing hosts to relay through you for a set period of time) is to use POPbeforeSMTP