[Exim] Selective AUTH LOGIN failures with exim4+PAM

Top Page
Delete this message
Reply to this message
Author: Marek Szuba
Date:  
To: exim-users
Subject: [Exim] Selective AUTH LOGIN failures with exim4+PAM
Hello,

Trying to enable SMTP AUTH over SSL/TLS with exim version 4.22 as found
in Debian sarge packages, I have noticed that authentication fails for
certain users.

The system in question handles user accounts provided in many different
ways, it was therefore quite natural for us to employ PAM for
authentication purposes. In exim, the following rule has been put into
auth configuration:

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}}"
server_set_id = $1

whereas /etc/pam.d/exim4 and exim (just in case) both contain:

auth     sufficient     pam_ldap.so
auth     required       pam_unix.so try_first_pass
account  sufficient     pam_ldap.so
account  required       pam_unix.so
session  sufficient     pam_ldap.so
session  required       pam_unix.so



This setup works. The bad news is that, for a reason unknown to me, it
doesn't work for certain users (error 535). At first, knowing about the
colon issue, I thought the cause of that behaviour were non-alphanumeric
characters in the passwords, but it has turned out I was mistaken: the
unlucky users cannot authenticate even when their passwords are changed
to letters only. It doesn't seem to be PAM-related, since the same users
can do SSH, IMAP etc. (using identical plugin rule files) with no
problems whatsoever. Finally, where the particular account's data is
stored doesn't seem to matter either - for instance, in LDAP there are
both "good" and "bad" accounts, structurally identical (i.e. they're
described with identical objects and keywords, only their contents -
UID, home dir etc. - differ).

I have already examined the authentication for both types of users while
running exim in debug mode, failed to notice anything peculiar though.

Could you try and at least point me in the right direction?

Cheers,
--
MS