Re: [Exim] SMTP auth

Top Page
Delete this message
Reply to this message
Author: Tamas TEVESZ
Date:  
To: Jeff Green
CC: exim-users
Subject: Re: [Exim] SMTP auth
On Wed, 11 Jul 2001, Jeff Green wrote:

> While I understand your plight (I'm there myself), blaming the documentation


indeed. exim has one of the finest doc i've ever seen. it however
doesn't state anywhere it's usable without any prior knowledge of the
internet mail system :)

chaps, it's basically really no big deal.

first, you need to get some backend db to get username/password pairs
from. this can be as simple as systems passwords, pam, *db files, sql,
ldap, whatever. just put in your username:password pairs there.

second, find out what type(s) of authentication you want, iirc there
are two types, plain and login. with plain, you transmit the
username:pw pair at the same time while login looks just like login:
the server asks for a username which you provide, likewise for the
password.

now you're almost done, what left is writing the authenticator.

first we'll do plain:

plain:
driver = plaintext
public_name = PLAIN
server_condition = ${lookup mysql{select if(count(*), "1", "0") \
from mail where id = '${quote_mysql:$2}' and \
encrypt('${quote_mysql:$3}', crypt) = crypt and can_send = 'y'}}
server_set_id = $2

lets look at it in detail.

first of course you name your authenticator, then specify what driver
to use. 'plaintext' means passwords are exchanged in plaintext over
the network (an alternative is 'cram-md5' which looks similar to that
what apop does in the pop3 world, your homework goes here).

public_name tells exim how to advertise this particular method when
the client comes in speaking esmtp:

250-SIZE
250-PIPELINING
250-AUTH LOGIN
         ^^^^^


next comes the heart the whole thing, the condition. this is where you
already have the username and password, and have to assemble a lookup
that will return either "0" or "1" (for denying/allowing,
respectively). i'm not going into detail about the lookup itself, mine
looks as above and is pretty much tied to mysql - homework is 'how to
do lookups in exim'. with the 'login' method, you get the username in
parameter $2 and the password in parameter $3. with plain, you get
username in $1 and pw in $2 - the differences can be figured out from
C032 (iirc) pretty easily.

server_set_id = $2 will set you a variable whose name i forgot which
you can use in exim.conf (ie. for adding extra infos to the received
headers, i have posted the one i used to use once, check the archives)
to the username.

when all this is done, put 'host_auth_accept_relay = foo' in the main
config, where foo is of host-list type; if you want to accept
authenticated users from any place, use '*'.

and this is it. no big deal, eh ? :)

i had put together a tool which helped me a lot to debug what actually
is going on, and also to understand stuff; you can find it at
<http://pike-community.org/code/show_single.html?id=79>. it's not
perfect, far from being any standards-compliant, but did the job here
and there already. you'll need pike 7 to use it (earlier pikes have no
Readline).


--
[-]
"you're wasting my time, chatterbox."