[exim] Server side PLAIN and LOGIN Auth against PAM

Top Page
Delete this message
Reply to this message
Author: Mihamina RKTMB
Date:  
To: exim-users
Subject: [exim] Server side PLAIN and LOGIN Auth against PAM
Hi all,

Running Archlinux, I installed exim 4.96.2.

I want to implement server side PLAIN and LOGIN auth against PAM.

In order to isolate issues, I make it without SSL for this 1rst step,
I will add SSL after sucessfully setting it up in clear text.

This is what I modified from the default configuration:

    primary_hostname = <the hostname>
    domainlist local_domains = @:<domain1>:<domain2>
    hostlist relay_from_hosts = localhost

I changed the default daemon_smtp_ports to (because I dont use SSL, I
dont use 465):

    daemon_smtp_ports = 25 : 587

The ACL section is the default one, strictly the same as
https://github.com/Exim/exim/blob/b94ea1bd61485a97c2d0dc2cab4c4d86ffe82e89/src/src/configure.default#L390

The Authenticators section has been modified and this is the full content:

    begin authenticators
    PLAIN:
      driver                     = plaintext
      server_set_id              = $auth2
      server_prompts             = :
      server_condition           = ${if pam{$auth2:$auth3}{1}{0}}"
      server_advertise_condition = *

    # LOGIN authentication has traditional prompts and responses. There
is no
    # authorization ID in this mechanism, so unlike PLAIN the username and
    # password are $auth1 and $auth2. Apart from that you can use the same
    # server_condition setting for both authenticators.

LOGIN:
      driver                     = plaintext
      server_set_id              = $auth1
      server_prompts             = "Username:: : Password::"
      server_condition           = "${if pam{$auth1:$auth2}{1}{0}}"
      server_advertise_condition = *

I also created a file named /etc/pam.d/exim (pam.d/ is traversable by
all, exim is readable by all) with the content

    auth        required      /lib/security/$ISA/pam_env.so
    auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
nullok
    auth        required      /lib/security/$ISA/pam_deny.so
    account     required      /lib/security/$ISA/pam_unix.so
    password    required      /lib/security/$ISA/pam_cracklib.so
retry=3 type=
    password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5shadow
    password    required      /lib/security/$ISA/pam_deny.so
    session     required      /lib/security/$ISA/pam_limits.so
    session     required      /lib/security/$ISA/pam_unix.so


The problem:
When I try to send a message by submitting it to port 587 using the
right credentials (Using Thunderbird), I get this in the logs:

    PLAIN authenticator failed for ... 435 Unable to authenticate at
present (set_id=mihamina): 0"
    LOGIN authenticator failed for ... 535 Incorrect authentication
data (set_id=mihamina)

I think there is a problem with my "server_condition" in each
authenticator, bu tI cannot figure out what is the problem
Would you help, please?

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/