I have the following configured or authentication. It uses sasldb2 for username:password
storage. I used this bit of perl, kindly shared from another exim user, because it was
the only way I knew of to share virtual user info between both cyrus and exim without
moving to LDAP.
Works great with Thunderbird, but I can't get it to work with Outlook or Outlook Express:
Login authenticator failed 535 Incorrect authentication data
perl_at_start
perl_startup = \
use BerkeleyDB ; \
my $autoTransition = 0 ; \
my $defaultRealm = Exim::expand_string('$primary_hostname'); \
my %sdb ; \
my $Sdb = tie %sdb, "BerkeleyDB::Hash", \
-Filename => "/etc/sasldb2", \
-Flags => DB_RDONLY \
or die "Could not tie to /etc/sasldb2: $!\n" ; \
sub makeKey ($$;$) { \
my ($usr, $key, $realm) = @_ ; \
$realm = $defaultRealm unless $realm ; \
return "${usr}\000${realm}\000${key}" ; \
} \
sub getPw ($;$) { \
return $sdb{makeKey(shift, 'userPassword', shift)} ; \
} \
sub checkPw ($$;$) { \
use Digest::MD5 ; $m = Digest::MD5->new ; \
my ($usr, $val, $realm) = @_ ; \
my $u = makeKey($usr, 'userPassword', $realm) ; \
return ($sdb{$u} eq $val) if exists $sdb{$u} ; \
my $p = makeKey($usr, 'cmusaslsecretPLAIN', $realm) ; \
my $V = $sdb{$p} ; return undef unless $V ; \
my ($s,$h)=unpack('a16 x a16', $V) ; \
my $ret = $h eq $m->add($s, 'sasldb', $val)->digest ; \
return $ret ; \
}
AUTHENTICATION
# The PLAIN authentication mechanism (RFC 2595) specifies that three
# strings be sent with the AUTH command. The second and third of them
# are a user/password pair.
plain:
driver = plaintext
public_name = PLAIN
# We should be able to do a dbm lookup in the sasldb2 database using
# a key composed by concatenating the username, domain name, and
# 'userPassword'. BUT cyrus-sasl puts NULs between the components
# and exim can't handle strings with embedded NULs... Hence the perl.
server_condition = ${perl {checkPw} {$2} {$3} {mail} }
server_set_id = $2
# The LOGIN mechanism is not a standard but is used in many programs.
# It doesn't provide any info on the AUTH command; but responds to
# prompts. Some clients are reputedly -very- sensitive to exact spelling
# of the prompts. (Unsurprisingly, Outlook Express is reported to be
# among them.)
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username : Password
server_condition = ${perl {getPw} {$1} {mail} }
server_set_id = $1
# The CRAM-MD5 mechanism avoids sending the password in the clear by
# computing an MD5 digest from the password and session-specific info.
# The authenticator puts the username in $1 and expands session_secret
# to obtain a plain-text password; which it then runs through the
# CRAM-MD5 algorythm to obtain a value to be compared against what
# the client sent
cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${perl {getPw} {$1} {mail}}
server_set_id = $1
#-------------------------------------------------------------------------
