Hello Mihamina and others,
Please note that LOGIN and PLAIN are not the better choice for security.
It is really better to use SCRAM-SHA-*(-PLUS) which are supported by Exim.
Regards,
Neustradamus
________________________________________
From: Mihamina RKTMB via Exim-users <exim-users@???>
Sent: Friday, October 20, 2023 14:08
To: exim-users@???
Subject: [exim] Server side PLAIN and LOGIN Auth against PAM
Hi all,
Running Archlinux, I installed exim 4.96.2.
I want to implement server side PLAIN and LOGIN auth against PAM.
In order to isolate issues, I make it without SSL for this 1rst step,
I will add SSL after sucessfully setting it up in clear text.
This is what I modified from the default configuration:
primary_hostname = <the hostname>
domainlist local_domains = @:<domain1>:<domain2>
hostlist relay_from_hosts = localhost
I changed the default daemon_smtp_ports to (because I dont use SSL, I
dont use 465):
daemon_smtp_ports = 25 : 587
The ACL section is the default one, strictly the same as
https://github.com/Exim/exim/blob/b94ea1bd61485a97c2d0dc2cab4c4d86ffe82e89/src/src/configure.default#L390
The Authenticators section has been modified and this is the full content:
begin authenticators
PLAIN:
driver = plaintext
server_set_id = $auth2
server_prompts = :
server_condition = ${if pam{$auth2:$auth3}{1}{0}}"
server_advertise_condition = *
# LOGIN authentication has traditional prompts and responses. There
is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.
LOGIN:
driver = plaintext
server_set_id = $auth1
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$auth1:$auth2}{1}{0}}"
server_advertise_condition = *
I also created a file named /etc/pam.d/exim (pam.d/ is traversable by
all, exim is readable by all) with the content
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth
nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so
retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
The problem:
When I try to send a message by submitting it to port 587 using the
right credentials (Using Thunderbird), I get this in the logs:
PLAIN authenticator failed for ... 435 Unable to authenticate at
present (set_id=mihamina): 0"
LOGIN authenticator failed for ... 535 Incorrect authentication
data (set_id=mihamina)
I think there is a problem with my "server_condition" in each
authenticator, bu tI cannot figure out what is the problem
Would you help, please?
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
