Re: [exim] How to do SMTP authentication for multiple users?

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Leonardo
CC: Exim-users
Subject: Re: [exim] How to do SMTP authentication for multiple users?
On 2010-06-29 at 15:17 +0200, Leonardo wrote:
> fixed_login:
>     driver = plaintext
>     public_name = LOGIN
>     server_prompts = User Name : Password
>     server_condition = \
>         ${if and {{eq{$1}{joe|jane|nick}}{eq{$2}{abcd1234}}}{yes}{no}}
>     server_set_id = $1


You are allowing plaintext authentication without TLS. That is unwise.

eq{}{} does literal string comparison.

For the auth variables, if you use $auth1 instead of $1 then you'll also
avoid any problems with match{}{} *also* using $1 for capturing.
Doesn't look like this would affect your usage here, or with match{}{}
but it's better to move to clearly separate variables.

> This does not work either:
>
>         ${if and {{match{$1}{joe|jane|nick}}{eq{$2}{abcd1234}}}{yes}{no}}


That should have "worked", but note that the matching is unanchored by
default, so you want {\N^joe|jane|nick$\N} instead.

I don't have time to check, but if you switch the $2 to $auth2 and it
then works, please file a bug -- $1,... are not supposed to be capturing
patterns until in the success branch.

> Only specifying a single name seems to work. However, I prefer not to
> have all users authenticate with a single login:
>
>         ${if and {{eq{$1}{joe}}{eq{$2}{abcd1234}}}{yes}{no}}      # this works


auth_plain:
  driver        = plaintext
  public_name   = PLAIN
  server_advertise_condition = ${if def:tls_cipher}
  server_prompts        = :
  server_condition      = ${lookup{$auth2}lsearch{RUNAUTHDIR/mail-passwords}\
                                {${if eq{$value}{$auth3}{yes}{no}}}{no}}
  server_set_id         = ${quote:$auth2}


and similarly for LOGIN instead of PLAIN (but use $auth1/$auth2 instead
of $auth2/$auth3). Here, RUNAUTHDIR is a macro I've defined to point to
a directory, and mail-passwords contains the passwords in plaintext.

The mail-passwords file then looks like:
----------------------------8< cut here >8------------------------------
# *** IMPORTANT ***
# Dictionary attacks against SMTP servers to be able to send spam
# are a REAL problem; we do *NOT* allow users to set their own passwords.
# We generate random passwords and rely upon the passwords being put into
# the mail-program config. The user is permitted to keep the password
# written down, since it *MUST* *ONLY* be used to permit sending mail as
# that user, not for anything else (including shell login, mail reading
# access, whatever).
#
# Besides, we keep the passwords in plain-text in this file.
#
# Recommended password generation:
# openssl rand -base64 15
# and probably skip those with a '+' or '/' in, for now

joe:        5RajhsI6WqTYIsK4hr4p
----------------------------8< cut here >8------------------------------


and here, the 5R...4p stuff is the actual password. I have used just
this scheme and explained to users that it's *okay* to write *this*
password on a post-it note, or to tell their mail-program to remember it
(which they'll do anyway ...).

You can then also have:

auth_cram:
  driver        = cram_md5
  public_name   = CRAM-MD5
  server_secret = ${lookup{$auth1}lsearch{RUNAUTHDIR/mail-passwords}{$value}fail}
  server_set_id = ${quote:$auth1}


to support better authentication protocols using the same password
store.

Bonus points for then restricting to ports 463/587 to keep auth off port
25.

-Phil