Re: [exim] Exim4 + fixed_cram

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: basti
CC: exim-users
Subject: Re: [exim] Exim4 + fixed_cram
On 2014-01-23 at 15:46 +0100, basti wrote:
> * OK [CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
> THREAD=REFERENCES SORT AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE ACL ACL2=UNION]


Okay, you have an authentication store which is _probably_ storing the
cleartext passwords, or which might be storing multiple transforms of
the password.

> I want to use the same on SMTP/Exim side of my Mailsystem.


How is Courier authentication configured? You should be able to access
the same password store in Exim, for unified passwords to send and
receive email, with CRAM-MD5 and friends all supported by Exim.

For instance, if Courier is still using `/etc/userdbshadow.dat` then you
can use a `dbmnz` lookup in Exim to retrieve the password for the user,
in the `server_secret` option of an authenticator.

If Courier is configured to use Cyrus SASL db storage, then you can do
the same with Exim, using either `cyrus_sasl` or `gsasl` as the backend
provider. `cyrus_sasl` works in conjunction with the existing tools,
where using `gsasl` against the same store provides a simpler setup with
fewer moving parts, which is easier to debug.

Without knowing where the actual authentication data is stored, and how
it's stored, I can't be more specific in my guidance; you might look at
the example here:
<http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_gsasl_authenticator.html>
for guidance on using gsasl with a Cyrus password store.

Exim is _flexible_ and can be set up to work with what you already have,
but that means there's no One Right Way to do things.

> Which technique do you prefer for:
>
> port 25/465 or 587
> SSL/TLS with Encrypted password


Email submission should be on 465 and 587. The standards say 587 with
STARTTLS, 465 is SSL-on-connect, some clients support just one or the
other, there's no reason not to provide both in Exim: the attack surface
is the same, you're not going to be using the 465 port for another
purpose on the same IP as you're providing mail-service, so just go
ahead and provide both.

    daemon_smtp_ports = 25 : 465 : 587
    tls_on_connect_ports = 465


You should probably default all authentication to be dependent upon
$tls_cipher being defined; then, if you find a mail _client_ (MUA) which
doesn't support TLS, you can consider allowing the non-disclosure
authentication mechanisms (anything _other_ than PLAIN or LOGIN) over
non-TLS. But requiring TLS is likely to work more reliably and more
smoothly, because it avoids half-baked poor implementations of channel
security layers derived from authentication (you don't want to know the
gory details).

-Phil