[exim] secure, authenticated SMTP with exim and Outlook [Exp…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Erik Myllymaki
Datum:  
To: Exim-Users (E-mail)
Betreff: [exim] secure, authenticated SMTP with exim and Outlook [Express]
I have the following configured or authentication. It uses sasldb2 for username:password
storage. I used this bit of perl, kindly shared from another exim user, because it was
the only way I knew of to share virtual user info between both cyrus and exim without
moving to LDAP.

Works great with Thunderbird, but I can't get it to work with Outlook or Outlook Express:

Login authenticator failed 535 Incorrect authentication data


perl_at_start
perl_startup    = \
         use BerkeleyDB ; \
         my $autoTransition      = 0 ; \
         my $defaultRealm        = Exim::expand_string('$primary_hostname'); \
         my %sdb ; \
         my $Sdb = tie %sdb, "BerkeleyDB::Hash", \
                 -Filename => "/etc/sasldb2", \
                 -Flags    => DB_RDONLY \
             or die "Could not tie to /etc/sasldb2: $!\n" ; \
         sub makeKey ($$;$) { \
             my ($usr, $key, $realm) = @_ ; \
             $realm = $defaultRealm      unless $realm ; \
             return "${usr}\000${realm}\000${key}" ; \
         } \
         sub getPw   ($;$) { \
             return $sdb{makeKey(shift, 'userPassword', shift)} ; \
         } \
         sub checkPw ($$;$) { \
             use Digest::MD5 ; $m = Digest::MD5->new ; \
             my ($usr, $val, $realm) = @_ ; \
             my $u = makeKey($usr, 'userPassword', $realm) ; \
             return ($sdb{$u} eq $val) if  exists $sdb{$u} ; \
             my $p = makeKey($usr, 'cmusaslsecretPLAIN', $realm) ; \
             my $V = $sdb{$p} ; return undef unless $V ; \
             my ($s,$h)=unpack('a16 x a16', $V) ; \
             my $ret = $h eq  $m->add($s, 'sasldb', $val)->digest ; \
             return $ret ; \
         }




AUTHENTICATION

#   The PLAIN authentication mechanism (RFC 2595) specifies that three
#   strings be sent with the AUTH command. The second and third of them
#   are a user/password pair.
plain:
     driver              = plaintext
     public_name         = PLAIN
     #   We should be able to do a dbm lookup in the sasldb2 database using
     #   a key composed by concatenating the username, domain name, and
     #   'userPassword'.  BUT cyrus-sasl puts NULs between the components
     #   and exim can't handle strings with embedded NULs...  Hence the perl.
     server_condition    = ${perl {checkPw} {$2} {$3} {mail} }
     server_set_id       = $2


#   The LOGIN mechanism is not a standard but is used in many programs.
#   It doesn't provide any info on the AUTH command; but responds to
#   prompts.  Some clients are reputedly -very- sensitive to exact spelling
#   of the prompts.  (Unsurprisingly, Outlook Express is reported to be
#   among them.)
login:
     driver              = plaintext
     public_name         = LOGIN
     server_prompts      = Username : Password
     server_condition    = ${perl {getPw} {$1} {mail} }
     server_set_id       = $1


#   The CRAM-MD5 mechanism avoids sending the password in the clear by
#   computing an MD5 digest from the password and session-specific info.
#   The authenticator puts the username in $1 and expands session_secret
#   to obtain a plain-text password; which it then runs through the
#   CRAM-MD5 algorythm to obtain a value to be compared against what
#   the client sent
cram:
     driver              = cram_md5
     public_name         = CRAM-MD5
     server_secret       = ${perl {getPw} {$1} {mail}}
     server_set_id       = $1


#-------------------------------------------------------------------------