[exim] Re: Server side PLAIN and LOGIN Auth against PAM

Top Page
Delete this message
Reply to this message
Author: * Neustradamus *
Date:  
To: exim-users@lists.exim.org, Mihamina RKTMB
Subject: [exim] Re: Server side PLAIN and LOGIN Auth against PAM
Hello Mihamina and others,

Please note that LOGIN and PLAIN are not the better choice for security.
It is really better to use SCRAM-SHA-*(-PLUS) which are supported by Exim.

Regards,

Neustradamus
________________________________________
From: Mihamina RKTMB via Exim-users <exim-users@???>
Sent: Friday, October 20, 2023 14:08
To: exim-users@???
Subject: [exim] Server side PLAIN and LOGIN Auth against PAM

Hi all,

Running Archlinux, I installed exim 4.96.2.

I want to implement server side PLAIN and LOGIN auth against PAM.

In order to isolate issues, I make it without SSL for this 1rst step,
I will add SSL after sucessfully setting it up in clear text.

This is what I modified from the default configuration:

     primary_hostname = <the hostname>
     domainlist local_domains = @:<domain1>:<domain2>
     hostlist relay_from_hosts = localhost


I changed the default daemon_smtp_ports to (because I dont use SSL, I
dont use 465):

     daemon_smtp_ports = 25 : 587


The ACL section is the default one, strictly the same as
https://github.com/Exim/exim/blob/b94ea1bd61485a97c2d0dc2cab4c4d86ffe82e89/src/src/configure.default#L390

The Authenticators section has been modified and this is the full content:

     begin authenticators
     PLAIN:
       driver                     = plaintext
       server_set_id              = $auth2
       server_prompts             = :
       server_condition           = ${if pam{$auth2:$auth3}{1}{0}}"
       server_advertise_condition = *


     # LOGIN authentication has traditional prompts and responses. There
is no
     # authorization ID in this mechanism, so unlike PLAIN the username and
     # password are $auth1 and $auth2. Apart from that you can use the same
     # server_condition setting for both authenticators.


LOGIN:
       driver                     = plaintext
       server_set_id              = $auth1
       server_prompts             = "Username:: : Password::"
       server_condition           = "${if pam{$auth1:$auth2}{1}{0}}"
       server_advertise_condition = *


I also created a file named /etc/pam.d/exim (pam.d/ is traversable by
all, exim is readable by all) with the content

     auth        required      /lib/security/$ISA/pam_env.so
     auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
nullok
     auth        required      /lib/security/$ISA/pam_deny.so
     account     required      /lib/security/$ISA/pam_unix.so
     password    required      /lib/security/$ISA/pam_cracklib.so
retry=3 type=
     password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5shadow
     password    required      /lib/security/$ISA/pam_deny.so
     session     required      /lib/security/$ISA/pam_limits.so
     session     required      /lib/security/$ISA/pam_unix.so



The problem:
When I try to send a message by submitting it to port 587 using the
right credentials (Using Thunderbird), I get this in the logs:

     PLAIN authenticator failed for ... 435 Unable to authenticate at
present (set_id=mihamina): 0"
     LOGIN authenticator failed for ... 535 Incorrect authentication
data (set_id=mihamina)


I think there is a problem with my "server_condition" in each
authenticator, bu tI cannot figure out what is the problem
Would you help, please?

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/