Re: [Exim] Authentication

Top Page
Delete this message
Reply to this message
Author: Tor Slettnes
Date:  
To: Scott Mohnkern
CC: exim-users
Subject: Re: [Exim] Authentication
On May 11, 2004, at 08:11, Scott Mohnkern wrote:

> I'm running Exim 3.x on a Debian box and have found myself in the need
> of
> authentication on SMTP.
>
> I found the section in exim.conf on authentication, but the question
> is:
>
> 1. Should one normally uncomment the "plain" or "login" sections for
> authentication?
>
> 2. Is there an "easy" way to create the crypted passwords for
> /etc/exim/password?


Logically, you have three choices:

1. Allow/mandate encrypted (DIGEST-MD5, and to a lesser degree
CRAM-MD5) authentication. Since these are based on challenge/response,
Exim needs to know the secret - i.e. passwords must be stored on your
system in plaintext format (in a file that only your Exim user can
read).

2. Allow only "PLAIN" and "LOGIN" authentication. Passwords can be
stored on your system in encrypted format, but passwords are
transmitted "as is" from client to server. If you do this, you ought
to allow authentication only over TLS (i.e. SSL) connections (which
brings you to dealing with server certificates, signing authorities,
etc).

3. Use a separate Kerberos server to issue authentication tokens. This
is technically superior (allows encrypted challenge/response, while not
requiring passwords to be stored on your Exim server), but is much
harder to set up.

Perhaps the simplest way is choice #2. In your main section, you would
have:

    tls_advertise_hosts = *
    tls_certificate     = /etc/ssl/certs/mailserver.pem
    tls_privatekey      = /etc/ssl/certs/mailserver.pem


(Replace the filenames with appropriate certificate and key files).  In
your authenticators section, you would uncomment the "plain_server" and
"login_server" blocks.  Finally, you can create CONFDIR/passwd as
follows:
    # cut -d: -f1-2 /etc/shadow > CONFDIR/passwd


(Replace CONFDIR with your Exim configuration directory, and replace
/etc/shadow with /etc/passwd if you don't use shadow passwords).

-tor