Re: [exim] Authentication

Top Page
Delete this message
Reply to this message
Author: Yan Seiner
Date:  
To: exim-users
Subject: Re: [exim] Authentication
Dave Evans wrote:
> On Wed, Oct 31, 2007 at 03:26:13PM -0700, Yan Seiner wrote:
>
>> 1. Clients connecting on 25 unauthenticated can send email only to the
>> local domains.
>>
>> 2. Clients requesting relaying must connect encrypted and authenticate.
>>
>> 3. Clients requesting relaying unencrypted are rejected.
>>
>
> Pretty standard...
>
>
>> I have TLS working so encryption is there but I can't get the
>> authentication to go.
>>
>
> So it sounds like once you've got the authentication working, your relaying
> will be fine too.
>
> However, I think we could do with some more information...
>
> What sort of authentication do you want?

I've been authenticating against PAM, but from what I gather that's not
a good idea. So a local exim passwd file would be fine. (I only have a
few users who would request relaying.)

> What does your "authentication"
> config section look like?


# this returns the matching line from passwd.client and doubles all ^
PASSWDLINE=${sg{\

${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
                }\
                {\\N[\\^]\\N}\
                {^^}\
            }


plain:
  driver = plaintext
  public_name = PLAIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
  client_send = "<; ${if !eq{$tls_cipher}{}\
                    {^${extract{1}{:}{PASSWDLINE}}\
                     ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
                   }fail}"
.else
  client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
                    ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
.endif


login:
  driver = plaintext
  public_name = LOGIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
  # Return empty string if not non-TLS AND looking up $host in passwd-file
  # yields a non-empty string; fail otherwise.
  client_send = "<; ${if and{\
                          {!eq{$tls_cipher}{}}\
                          {!eq{PASSWDLINE}{}}\
                         }\
                      {}fail}\
                 ; ${extract{1}{::}{PASSWDLINE}}\
                 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
.else
  # Return empty string if looking up $host in passwd-file yields a
  # non-empty string; fail otherwise.
  client_send = "<; ${if !eq{PASSWDLINE}{}\
                      {}fail}\
                 ; ${extract{1}{::}{PASSWDLINE}}\
                 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
.endif



> What sort of failure are you experiencing - does
> the server not offer the authentication, or does the server reject the
> client's credentials?

The server doesn't listen on SSL at all, and anything on 25 is rejected.


> What do the logs show?

2007-10-31 14:57:08 H=mail.piercecorporation.com ([192.168.2.3])
[66.224.227.170] F=<yan@???> rejected RCPT
<yan@???>: relay not permitted
2007-10-31 14:57:12 unexpected disconnection while reading SMTP command
from mail.piercecorporation.com ([192.168.2.3]) [66.224.227.170]


> Have you tried running with
> debugging enabled (exim -d)? What does the debug output look like?
>

No; I guess that's next.

--Yan