[exim] SMTP Authentication out of the box

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Ron McKeating
Dátum:  
Címzett: Exim-Users (E-mail)
CC: Alec Edworthy, isss
Tárgy: [exim] SMTP Authentication out of the box
For those of you who wanted to know what the solution was here is a
detailed note for your info. This will allow you to do authenticated
smtp over ssl with the standard exim just using pam.

Exim 4.x
courier imap

Compiling exim
The following settings need to be set

AUTH_PLAINTEXT=yes
SUPPORT_TLS=yes
TLS_LIBS=-lssl -lcrypto
TLS_LIBS=-L/usr/local/openssl/lib -lssl
TLS_INCLUDE=-I/usr/local/openssl/include/
SUPPORT_PAM=yes
EXTRALIBS=-lpam
----------------------------

In the exim config file
tls_advertise_hosts = *
tls_certificate = /usr/lib/courier-imap/share/imapd.pem
(note I am using the certificate that courier installs for itself)
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
(This means only connections over ssl will be offered authentication)

begin authenticators

plain:
   driver = plaintext
   public_name = PLAIN
   server_prompts = :
   server_condition = "${if pam{$2:$3}{1}{0}}"
   server_set_id = $2
                                                                               login:
   driver = plaintext
   public_name = LOGIN
   server_prompts = "Username:: : Password::"
   server_condition = "${if pam{$1:$2}{1}{0}}"
   server_set_id = $1
-------------------------------
Also I have exim run as group exim this group needs read access on


/etc/shadow
/usr/lib/courier-imap/share/imapd.pem
(this is the certificate file, (again) one that courier imap creates)

/etc/pam.d/exim (this is really important or you will get the error
535 Incorrect authentication data (set_id=ron)

-------------------------------

contents of /etc/pam.d/exim

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok


auth        required      /lib/security/$ISA/pam_deny.so


account     required      /lib/security/$ISA/pam_unix.so


password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5shadow


password    required      /lib/security/$ISA/pam_deny.so


session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so


--------------------------

With the above we are able to do authenticated smtp using standard out
of the box exim and the standard pam modules that come with linux.
So no need for sassl authd or pam_exim or anything else, it all just
works.

Hope this is cluefull to those of you trying to do the same.

Ron

Ron McKeating
Senior IT Services Specialist
Internet Services and Software Solutions
Loughborough University
01509 222329