Re: [exim] Re: SMTP Authentication out of the box

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: Exim-Users (E-mail)
Subject: Re: [exim] Re: SMTP Authentication out of the box
On 2004-12-17 Ron McKeating <R.J.Mckeating@???> wrote:
> On Thu, 2004-12-16 at 18:49, Andreas Metzler wrote:
>> David Woodhouse <dwmw2@???> wrote:
>>> On Thu, 2004-12-16 at 16:26 +0000, Ron McKeating wrote:
>>>> Not sure why anyone would want to bother to set up the sasl authd when
>>>> pam comes with fedora and works out of the box with minimal config.
>>>> There is no need for pam_exim any longer.


>>> For users whose password is in /etc/shadow? What am I missing?


>> Quote from Wiki:
>> | Also I have exim run as group exim this group needs read access on
>> |
>> | /etc/shadow

[...]
>> * <chgrp exim /etc/shadow> This will break vlock, chage, and other
>> SGID shadow stuff.
> This is what we do and we seem to be living with it ok. I know it is not
> perfect but we simply MUST have authenticated SMTP.

[...]

Hello,
You are free to break this on your own systems but I am unhappy to
advertise this in the Wiki as "the zero-problems, simple solution":
| So no need for sassl authd or pam_exim or anything else, it all just
| works.


> It is a compromise I know but if anybody has a better solution I am
> happy to listen. And no I am not going down the sasl authd route.


If you are opposed to saslauthd (which _is_ the most simple proper
solution for this problem on any Linux-distribution including a
packaged version of saslauthd) you could simply mirror the required
lines (and columns) of /etc/shadow to /etc/exim/smtp-pass with a
cronjob and use a simple lsearch instead of pam.

rm -f /etc/exim/smtp-pass.new &&\
touch /etc/exim/smtp-pass.new &&\
chmod 0600 /etc/exim/smtp-pass.new &&\
cat /etc/shadow | grep '^[^:][^:]*:[^:][^:][^:][^:][^:][^:][^:]*:' |\
grep -v ^root | cut -f 1-2 -d: > /etc/exim/smtp-pass.new &&\
chmod 0400 /etc/exim/smtp-pass.new &&\
chown exim:exim /etc/exim/smtp-pass.new &&\
mv /etc/exim/smtp-pass.new /etc/exim/smtp-pass

Using tempfile(1) instead of hardcoding smtp-pass.new might be better,
but I've no idea how widespread tempfile(1) is today.
                cu andreas
-- 
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
                                           http://downhill.aus.cc/