[Exim] SMTP AUTH (Exim-3.33 and Exim-3.952)

--

Hello list,

Just before you emabrk on your weekend proper, I have TWO major questions on
SMTP AUTH, one on 3.33 and the other on 3.952 (aka 4 beta)

On Exim-3.33 I have a working AUTH setup which correctly handles users who
are in my /etc/passwd. Maybe I need to say the users use username:encryptedpasswd
pair to AUTH.
I have another set of users, virtual in this case, using username@domain:encryptedpasswd
pair and the usernames/passwords are in MySQL database. Exim already has access to this
database. My questions on this are:

1. Is it possible to configure authenticators for these users in Exim-3.33? I am not
a database guru and the much I know is just the HOWTOs that I read to setup Exim
and TPOP3D. I scanned the archives
2. Is it possible also to setup authenticators for them in Exim-4?

3. On Exim-4: I built this from the FreeBSD ports and I checked the Local/Makefile
and saw the authenticators were compiled into the exim binary.
Exim-4 being new as it is, I haven't managed to get authentication working on my
test box. I have defined acl smtp_auth and also defined the authenticators (actually
they were left in place by the convert script). Exim-4 runs on the test box but when
I telnet to it and issue EHLO I don't see it advertising AUTH. I've scanned spec.txt
but seems I am missing something major.

My Exim-4 configure file is attached. Sorry I forgot to do it in the previous post.


If anyone can point me in the right direction, I'll be greatly obliged.


-Wash

S y s t e m s A d m i n.

--
Odhiambo Washington  <wash@???>    "The box said 'Requires
Wananchi Online Ltd.  www.wananchi.com      Windows 95, NT, or better,'
Tel: 254 2 313985-9   Fax: 254 2 313922     so I installed FreeBSD."
GSM: 254 72 743 223   GSM: 254 733 744 121  This sig is McQ!  :-)

++
It is impossible to experience one's death objectively and still carry
a tune.
        -- Woody Allen

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

----- End forwarded message -----

-Wash

S y s t e m s A d m i n.

--
Odhiambo Washington  <wash@???>    "The box said 'Requires
Wananchi Online Ltd.  www.wananchi.com      Windows 95, NT, or better,'
Tel: 254 2 313985-9   Fax: 254 2 313922     so I installed FreeBSD."
GSM: 254 72 743 223   GSM: 254 733 744 121  This sig is McQ!  :-)

++
People who are funny and smart and return phone calls get much better
press than people who are just funny and smart.
        -- Howard Simons, "The Washington Post"
--
#!!# This file is output from the convert4r4 script, which tries
#!!# to convert Exim 3 configurations into Exim 4 configurations.
#!!# However, is is not perfect, especially with non-simple
#!!# configurations. You must check it before running it.

#!!# These options specify the Access Control Lists (ACLs) that
#!!# are used for incoming SMTP messages - after the RCPT and DATA
#!!# commands, respectively.

acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

#!!# These options specify the Access Control Lists (ACLs) that
#!!# are used to control the ETRN, EXPN, and VRFY commands.
#!!# Where no ACL is defined, the command is locked out.

acl_smtp_etrn = check_etrn


#!!# Access Control Lists for SMTP AUTH

acl_smtp_auth = smtp_auth


#!!# This setting defines a named domain list called
#!!# local_domains, created from the old options that
#!!# referred to local domains. It will be referenced
#!!# later on by the syntax "+local_domains".
#!!# Other domain and host lists may follow.

domainlist local_domains = @ : \
    @[] : \
    localhost : \
    beastie.wananchi.com : \
    lsearch;/usr/local/etc/exim/relay : \
    partial-lsearch;/usr/local/etc/exim/tpc.domains

domainlist relay_domains = lsearch;/usr/local/etc/exim/relay : \
    lsearch;/usr/local/etc/exim/static : \
    lsearch;/etc/virtual/domains
hostlist relay_hosts = +include_unknown : \
    62.8.64.0/24 : \
    62.8.65.0/24 : \
    62.8.66.0/24 : \
    62.8.67.0/24 : \
    62.8.68.0/24 : \
    62.8.69.0/24 : \
    212.49.74.0/25 : \
    192.168.0.2/32
hostlist auth_relay_hosts = *

#!!# All previous logging options are combined into a single
#!!# option in Exim 4. This setting is an approximation to
#!!# the previous state - some logging has changed.

log_selector =  \
              -retry_defer \
              -skip_delivery \
              +address_rewrite \
              +all_parents \
              +arguments \
              +received_sender \
              +received_recipients \
              +smtp_confirmation \
              +smtp_connection \
              +smtp_syntax_error

# Do filtering

#!!# message_filter renamed system_filter
system_filter = /usr/local/etc/exim/exim-filter
message_body_visible = 8000
system_filter_file_transport = address_file
system_filter_pipe_transport = address_pipe
system_filter_reply_transport = address_reply

######################################################################
#                  Runtime configuration file for Exim               #
######################################################################

primary_hostname = beastie.wananchi.com

qualify_domain = beastie.wananchi.com

qualify_recipient = beastie.wananchi.com


# Exim user and those whose uids no delivery should occur.

exim_user = mailnull
exim_group = mail
never_users = root : mailnull


#!!# auth_always_advertise converted to auth_advertise_hosts

auth_advertise_hosts = !+relay_hosts : +auth_relay_hosts


# Some operating systems use the "gecos" field in the system password file
# to hold other information in addition to users' real names. Exim looks up
# this field when it is creating "sender" and "from" headers. If these options
# are set, exim uses "gecos_pattern" to parse the gecos field, and then
# expands "gecos_name" as the user's name. $1 etc refer to sub-fields matched
# by the pattern.

gecos_pattern = ^([^,:]*)
gecos_name = $1


# This string defines the contents of the \`Received' message header that
# is added to each message, except for the timestamp, which is automatically
# added on at the end, preceded by a semicolon. The string is expanded each
# time it is used.

received_header_text = "Received: \
         ${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\
         {${if def:sender_ident {from ${sender_ident} }}\
         ${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\
         by ${primary_hostname} \
         ${if def:received_protocol {with ${received_protocol}}} \
         (Exim ${version_number} #${compile_number} (FreeBSD))\n\t\
         id ${message_id}\
         ${if def:received_for {\n\tfor <$received_for>}}"

host_lookup = *

smtp_banner = $primary_hostname ESMTP Exim \
  ${version_number} #${compile_number} ${tod_full} ${lookup{$sender_host_address} \
    lsearch* {/usr/local/etc/exim/bannerversion} \
    {${expand:$value}}}

errors_reply_to = admin@???

delay_warning = 0h

no_prod_requires_admin

no_queue_list_requires_admin

message_size_limit = 10M

return_size_limit = 5k

auto_thaw = 1h

queue_smtp_domains = lsearch;/usr/local/etc/exim/static

smtp_etrn_command = "/usr/local/sbin/exim -R \"${if match {$domain} {^[@#]} {${substr_1:$domain}} {$domain}}\""

smtp_accept_max = 100

smtp_accept_max_per_host = 10

smtp_accept_reserve = 10

smtp_accept_queue_per_connection = 120

remote_max_parallel = 2

smtp_connect_backlog = 50

split_spool_directory

timeout_frozen_after = 2d

ignore_bounce_errors_after = 0s

#!!#######################################################!!#
#!!# This new section of the configuration contains ACLs #!!#
#!!# (Access Control Lists) derived from the Exim 3      #!!#
#!!# policy control options.                             #!!#
#!!#######################################################!!#

#!!# These ACLs are crudely constructed from Exim 3 options.
#!!# They are almost certainly not optimal. You should study
#!!# them and rewrite as necessary.

begin acl

#!!# ACL that is used after the RCPT command

check_recipient:
  # Exim 3 had no checking on -bs messages
  accept  hosts = :
  deny    hosts = 209.225.6.125:209.225.6.106:209.225.6.117:209.225.6.112:209.225.6.111:209.225.41.205:63.103.129.9:207.61.57.125:203.122.3.153:207.241.178.129:202.86.149.133:207.241.178.132: \
  207.241.178.102:207.241.178.164:196.40.39.157:207.155.198.87:210.24.180.17:210.10.90.72:212.186.146.248:216.242.135.:202.86.131.9:203.1.24.64:213.120.126.30
  deny    message = host is listed in $dnslist_domain
          dnslists = blackholes.mail-abuse.org:relays.mail-abuse.org:dialups.mail-abuse.org
  deny    senders = partial-lsearch;/usr/local/etc/exim/badsenders
  require verify = sender
  deny    message = unrouteable address
         !verify = recipient
  accept  domains = +local_domains
  accept  domains = +relay_domains
  accept  hosts = +relay_hosts
  accept  hosts = +auth_relay_hosts
          endpass
          message = authentication required
          authenticated = *
  deny    message = relay not permitted

#!!# ACL that is used after the DATA command

check_message:
require verify = header_syntax
accept senders = !:
require verify = header_sender
accept

## Deny if the local part contains @ or % or / or | or !.

deny    local_parts   = ^.*[@%!/|]

# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.

accept  local_parts   = postmaster
        domains       = +local_domains

#!!# ACL that is used after the ETRN command

check_etrn:
accept hosts = 62.8.64.0/24 : 62.8.65.0/24 : 62.8.66.0/24 : 62.8.67.0/24 : 212.49.74.0/25



#!!# ACL that is used for SMTP AUTH

smtp_auth:
accept hosts = 62.8.64.0/24 : 62.8.65.0/24 : 62.8.66.0/24 : 62.8.67.0/24 : 62.8.68.0/24 : 62.8.69.0/24 :212.49.74.0/25

# AUTHENTICATION CONFIGURATION


# There are no authenticator specifications in this default configuration file.
## new auth section ##


begin authenticators

plain:
driver = plaintext
public_name = PLAIN
server_mail_auth_condition =
server_set_id = $2
client_send =
server_condition = ${if crypteq{$3}{${lookup{$2}lsearch{/etc/exim/authtab}{$value}}}{1}{0}}
server_prompts =

login:
driver = plaintext
public_name = LOGIN
server_mail_auth_condition =
server_set_id = $1
client_send =
server_condition = ${if crypteq{$2}{${lookup{$1}lsearch{/etc/exim/authtab}{$value}}}{1}{0}}
server_prompts = Username:: : Password::

cram:
driver = cram_md5
public_name = CRAM-MD5
server_mail_auth_condition =
server_set_id = $1
client_name =
client_secret =
server_secret = ${lookup{$1}lsearch{/etc/exim/authtab-cram_md5}{$value}}


# REWRITE CONFIGURATION

# Set of rules for mapping certain local users to some postmasters
# @virtual.domains who do ETRN but don't pop from dialup account


begin rewrite

\N^(beiersdorf)@wananchi\.com$    admin@???        Tt
\N^(lantech)@wananchi\.com$    lantech@???        Tt
\N^(virtualcity)@wananchi\.com$    kkarungu@???    Tt
\N^(mareba)@wananchi\.com$    postmaster@???    Tt
\N^(netsource)@wananchi\.com$    gdanson@???    Tt
\N^(fkfin)@wananchi\.com$    habelm@???        Tt
\N^(postmaster)@kenpoly\.com$    kamlesh@???        Tt
\N^(.*)@wtrl\.or\.ke$        $1@???

# Added by Wash - removes asterisks from Sender and From fields

\N^([^\*]+)\*(.*)@(.*)$         $1@$domain             EFs

#!!#######################################################!!#
#!!# Here follow routers created from the old routers,   #!!#
#!!# for handling non-local domains.                     #!!#
#!!#######################################################!!#

begin routers


# This first entry can be used to dump all mail to a well connected host,
# as long as we're allowed relay through.

#smart_route:
# driver = manualroute
# domains = ! +local_domains
# host_find_failed = defer
# route_list = * ns2.wananchi.com bydns_a
# transport = remote_smtp

# Lookups in case there is no smart_route

lookuphost:
driver = dnslookup
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8
transport = remote_smtp

# This router routes to remote hosts over SMTP by explicit IP address.

domain_literal:
driver = ipliteral
domains = ! +local_domains
transport = remote_smtp


# This router has been added for offloading mail for certain sites to
# better connected hosts and make it their responsibility to deliver to
# the destination.

artificial_route:
driver = manualroute
domains = ! +local_domains
route_data = ${lookup{$domain}lsearch{/usr/local/etc/exim/smtproutes}}
transport = remote_smtp

#Hylafax settings

fax:
driver = manualroute
domains = ! +local_domains
route_list = *.fax
transport = fax
no_more

#!!#######################################################!!#
#!!# Here follow routers created from the old directors, #!!#
#!!# for handling local domains.                         #!!#
#!!#######################################################!!#

# This director handles our normal virtual domains

virtual_domains:
driver = redirect
allow_defer
allow_fail
data = ${expand:${lookup{$local_part@$domain}lsearch*@{/usr/local/etc/exim/virtual}}}
retry_use_local_part


# The following will handle any aliases for the special virtual domains

virtual_aliases:
driver = redirect
allow_defer
allow_fail
data = ${expand:${lookup{$local_part}lsearch*{/etc/virtual/${domain}/aliases}}}
domains = lsearch;/etc/virtual/domains
file_transport = address_file
pipe_transport = address_pipe
qualify_preserve_domain
retry_use_local_part
user = mailnull


# This director allows me to have an individual domain filter for
# each virtual domain.

virtualdomainfilter:
#!!# filter renamed allow_filter
driver = redirect
allow_filter
check_ancestor
no_check_local_user
domains = lsearch;/etc/virtual/domains
no_expn
file = /etc/virtual/${domain}/filter
file_transport = address_file
group = mail
pipe_transport = address_pipe
reply_transport = address_reply
retry_use_local_part
skip_syntax_errors
user = mailnull
no_verify


# This director will handle our system aliases /etc/mail/aliases

system_aliases:
driver = redirect
allow_defer
allow_fail
data = ${expand:${lookup{$local_part}lsearch{/etc/mail/aliases}}}
file_transport = address_file
pipe_transport = address_pipe
retry_use_local_part
user = mailnull

# User forwards

userforward:
#!!# match_directory option removed
#!!# filter renamed allow_filter
driver = redirect
allow_filter
check_ancestor
check_local_user
no_expn
file = $home/.forward
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
no_verify


# This director matches the virtual local user mailboxes

virtual_localuser:
driver = accept
condition = ${lookup {$local_part} lsearch {/etc/virtual/${domain}/passwd}{$value}}
domains = lsearch;/etc/virtual/domains
retry_use_local_part
transport = virtual_localdelivery

# This director matches local user mailboxes.

localuser:
driver = accept
check_local_user
transport = local_delivery


# VIRTUAL DOMAIN FALLBACK

fallbackdomain:
driver = redirect
allow_defer
allow_fail
condition = ${lookup{$domain}lsearch{/etc/virtual/domainfallback}{$value}}
data = ${lookup{$domain}lsearch{/etc/virtual/domainfallback}{$local_part@$value}{$local_part@$domain}}
retry_use_local_part
user = mailnull


#TPC.INT tpc director

tpc_director:
driver = accept
domains = "partial-lsearch;/usr/local/etc/exim/tpc.domains"
retry_use_local_part
transport = tpc

faxdirector:
#!!# prefix renamed local_part_prefix
driver = accept
condition = ${lookup{$sender_address}lsearch{/etc/fax/faxusers}{yes}{no}}
local_part_prefix = fax-
retry_use_local_part
transport = efaxtransport

efax_rejected:
#!!# prefix renamed local_part_prefix
driver = accept
local_part_prefix = fax-
retry_use_local_part
transport = efax_rejected_user
unseen
no_verify



# TRANSPORTS CONFIGURATION

# This transport is used for delivering messages over SMTP connections.

begin transports

remote_smtp:
driver = smtp
no_delay_after_cutoff
serialize_hosts = *


# This transport is used for local delivery to user mailboxes

local_delivery:
#!!# prefix renamed message_prefix
#!!# suffix renamed message_suffix
#!!# no_from_hack replaced by check_string
  driver = appendfile
  check_string =
  create_directory
  delivery_date_add
  directory = ${home}/Maildir/
  directory_mode = 700
  envelope_to_add
  group = mail
  maildir_format
  message_prefix = ""
  message_suffix = ""
  quota = 30M
  no_quota_is_inclusive
  quota_warn_message = "\
                To: $local_part@$domain\n\
                Subject: Your mailbox is almost filled up!\n\n\
                This message is automatically created \
                by mail delivery software (Exim), your SMTP Server at wananchi.com.\n\
                The size of your mailbox has exceeded a warning threshold\n\
                set by the System Administrator.\n\
                When you receive this message, it means that your current\n\
                mailbox size is approaching 30M (MegaBytes). You need to clean up old msgs.\n\
                If your e-mail software has a setting that leaves a copy of the message on\n\
                the server, please also set the option that deletes the message\n\
                from the server when you delete your local copy."
  quota_warn_threshold = 75%
  return_path_add
# I can also impose quota selectively via the authtab file in the format username:password:quota
# and use this lookup, with a default value of 20M in case a quota isn't specified for a user
# quota = ${extract{2}{:}{${lookup{${local_part}}lsearch{/etc/exim/authtab}{$value}{:20M}}}}
# quota = ${extract{2}{:}{${lookup{${local_part}}lsearch{/mail/conf/${domain}/passwd}{$value}{3M}}}}
# mode = 0660
# mode = 0600

# This transport is used for handling pipe deliveries generated by alias
# or .forward files.

address_pipe:
driver = pipe
return_output


# This transport is used for handling deliveries directly to files that are
# generated by aliassing or forwarding.

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

# Should you want to be able to specify either maildir or non-maildir
# directory-style deliveries, then you must set up yet another transport,
# called address_directory2. This is used if the path ends in "//" so should
# be the one used for maildir, as the double slash suggests another level
# of directory. In the absence of address_directory2, paths ending in //
# are passed to address_directory.

address_directory:
#!!# prefix renamed message_prefix
#!!# suffix renamed message_suffix
#!!# no_from_hack replaced by check_string
driver = appendfile
check_string =
delivery_date_add
envelope_to_add
maildir_format
message_prefix = ""
message_suffix = ""
return_path_add

# This transport is used for handling autoreplies generated by the filtering
# option of the forwardfile director.

address_reply:
driver = autoreply

fax:
driver = pipe
command = "/usr/local/bin/faxmail -d ${local_part}@${extract{1}{.}{$domain}}"
home_directory = /usr/local/bin
user = fax

# TPC.INT
tpc:
driver = pipe
command = "/var/tpc/tpcmailer.pl \"${local_part}@${domain}\" \"${sender_address}\""
return_fail_output
user = fax

efaxtransport:
driver = pipe
command = "/usr/local/bin/faxmail -d \"${local_part}\" \"${sender_address}\""
group = uucp
headers_add = "X-FAX-notify: when done"
home_directory = /usr/local/bin
user = fax

efax_rejected_user:
driver = autoreply
file = /etc/fax/warning.txt
file_expand
from = faxmaster@???
log = /var/log/exim/efax_rejectlog
subject = Re: Your Fax to $local_part
to = $sender_address
user = mailnull

# We want to handle some virtual domains in a special way from what
# we have already.

# This transport handles those special cases

virtual_localdelivery:
driver = appendfile
create_directory
delivery_date_add
directory_mode = 700
envelope_to_add
file = /var/spool/virtual/${domain}/${local_part}
group = mail
mode = 0660
return_path_add
user = mailnull
# user = ${extract{2}{:}{${lookup{$local_part} lsearch {/etc/virtual/${domain}/passwd}{$value}}}}



# RETRY CONFIGURATION

# Domain               Error       Retries
# ------               -----       -------

begin retry

wananchi.com        *           F,1h,10m
wananchi.co.ke        *           F,5d,24h
*            *               F,2h,15m; G,16h,1h,1.5; F,4d,8h

# Immediately bounce messages if mailbox is over quota.

*            quota

# End of Exim 4 configuration
--