Re: [Exim] Authenticated smtp

Top Page
Delete this message
Reply to this message
Author: Phil Jordan
Date:  
To: Exim-Users (E-mail)
CC: R.J.Mckeating
Subject: Re: [Exim] Authenticated smtp
Re the thread below, if I may attempt to summarise:

* Many users of Exim cannot get PAM to authenticate for them if they're
not running Exim as root.
* Users of Fedora Core 2 report that it works fine thanks, what's all
the fuss?
* Nathan suggested that maybe a solution would be to simply upgrade
everything in sight to the same release level as used in FC2
* Otherwise we're looking at some sort of virtual user scheme.

The notes from Philip Hazel in the Exim FAQ raised the expectation in my
mind that it was possible to use PAM (with release 0.72 or higher) as
many of us would wish to, but we cannot seem to get it to cooperate.
Indeed the PAM documentation (that I can find) only mentions allowing
non-root users to authenticate *their own* passwords. Hmmmm.

The latest PAM FAQ ($Date: 2004/06/07 19:35:17 $) agrees that this (apps
that want to authenticate on behalf of users other than the one they're
running as) is a problem and suggests a work around of creating a
"shadow" group, making this the exim group and giving it read access to
/etc/shadow. Perhaps this is what's going on with FC2? (I tried swapping
my own, simpler pam.d/exim file for the one used by Ron below, but
unsurprisingly it made no difference).

I've looked at PAM 0.77 but I don't recall seeing much that had a
beating on this problem.

Does this cover everything? Comments, please?

Best wishes

Phil Jordan

Ron McKeating wrote:

>On Thu, 2004-07-29 at 01:20, Phil Jordan wrote:
>
>
>>I've run tests (exim -d+expand -be) with exim both as root and as exim.
>>
>>(I'm running RH9 with PAM 0.75. I created a pam.d/exim file by hand
>>modelled after the one used for IMAP on my system.)
>>
>>The test run as root succeeds, validating my authenticator code.
>>
>>The test run as exim fails.
>>
>>Before I give up on PAM and start looking at other options, can I double
>>check if there's anything special I should be doing for my PAM config
>>(pam.d/exim) please? According to the Exim docs PAM 0.72 and up should
>>support checking from a non-root account so I had expected using PAM to
>>work.
>>
>>
>>
>
>After input from Nathan and a few others I decided to try using it out
>of the box on my FC2 box. It works fine. no problems, this is my exim
>file in /etc/pam.d/
>
>** (Ron's config here) **
>
>
>>Thanks
>>
>>Phil Jordan
>>
>>On Wed Jul 28, 2004 at 2:26 am, Nathan Ollerenshaw wrote
>>
>>
>>
>>>On Jul 27, 2004, at 7:45 PM, Anand Buddhdev wrote:
>>>
>>>
>>>>If Exim is not running as root, then, when using PAM, it is not able to
>>>>read /etc/shadow, and so it cannot authenticate users. One work-around
>>>>is to run exim as root, but that's a very bad idea. I prefer not to use
>>>>PAM at all. There are other solutions to get SMTP authentication to
>>>>work.
>>>>
>>>>
>>>I just tested it under FC2 as a normal user.
>>>
>>>No problems using PAM here :)
>>>
>>>Nathan.
>>>
>>>--
>>>Nathan Ollerenshaw - Unix Systems Engineer
>>>ValueCommerce - http://www.valuecommerce.ne.jp
>>>