Re: [Exim] Authenticated smtp

Top Page
Delete this message
Reply to this message
Author: Nathan Ollerenshaw
Date:  
To: Ron McKeating
CC: Exim-Users (E-mail)
Subject: Re: [Exim] Authenticated smtp
On Jul 27, 2004, at 7:29 PM, Ron McKeating wrote:

> On Tue, 2004-07-27 at 07:46, Nathan Ollerenshaw wrote:


>> If you're using a reasonably modern operating system that has pam, you
>> can use it do the same thing. Exim's spec.pdf, page 111 (numbered 99
>> in
>> the pdf), or
>> http://www.exim.org/exim-html-4.40/doc/html/spec_11.html#IX936:


> I have tried this and it does not work. I am using fedora core 2 and
> the
> latest exim. I am unclear as to how exim pam and /etc/shadow interact.
> Basically is it possible to get exim to use pam to authenticate users
> against the /etc/shadow file.


How did you test it? Did you try running

exim -d+expand -be

to test the expansion? Using exim's debugging can really help when
you're trying to figure out what is going on. Its one of the compelling
reasons to use it, imho.

> ${if pam{chrome:testpass}{yes}{no}}

expanding: chrome:testpass
    result: chrome:testpass
Running PAM authentication for user "chrome"
PAM success
condition: pam{chrome:testpass}
    result: true
expanding: yes
    result: yes
expanding: no
    result: no
skipping: result is not used
expanding: ${if pam{chrome:testpass}{yes}{no}}
    result: yes
yes

> ${if pam{chrome:ewrrwerwer}{yes}{no}}

expanding: chrome:ewrrwerwer
    result: chrome:ewrrwerwer
Running PAM authentication for user "chrome"
PAM error: Authentication failure
condition: pam{chrome:ewrrwerwer}
    result: false
expanding: yes
    result: yes
skipping: result is not used
expanding: no
    result: no
expanding: ${if pam{chrome:ewrrwerwer}{yes}{no}}
    result: no
no


So, you can see on my FC2 machine that pam works with exim. If I do the
same expression not as root, but as a normal user, I have to turn off
debugging because its restricted, but I can still do the PAM auth stuff
and it works.

With regards to Anand's post, at least on FC2 machines, you can ignore
the statement:

"In some operating systems, PAM authentication can be done only from a
process running as root. Since Exim is running as the Exim user when
receiving messages, this means that PAM cannot be used directly in
those systems. A patched version of the pam_unix module that comes with
the Linux PAM package is available from
http://www.e-admin.de/pam_exim/. The patched module allows one special
uid/gid combination, in addition to root, to authenticate. If you build
the patched module to allow the Exim user and group, PAM can then be
used from an Exim authenticator."

Maybe if you were to show examples of the authenticators that you tried
with PAM, and show some tests on the command line with the debugging
output enabled? The way I do it for a running daemon is that I stop the
exim service, then run it from the command line with 'exim -d+expand
-bd'. This just runs a single listener with no queue runner, and puts
all the debugging output into the terminal for you to see.

Nathan.

--
Nathan Ollerenshaw - Unix Systems Engineer
ValueCommerce - http://www.valuecommerce.ne.jp/