[exim] Re: Server side PLAIN and LOGIN Auth against PAM

Góra strony
Delete this message
Reply to this message
Autor: Lena--- via Exim-users
Data:  
Dla: exim-users
Temat: [exim] Re: Server side PLAIN and LOGIN Auth against PAM
> | - If you want to use /etc/shadow for Exim's SMTP AUTH you will need to
> | run exim as group shadow. [...] We suggest using saslauthd instead.


I use PAM and pam_pop3:

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}
client_send = ^${extract{user}{$address_data}{$value}fail}^${extract{pass}{$address_data}{$value}fail}
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}${acl{hash}{$auth1,$auth2}}
server_set_id = $1

/etc/pam.d/exim:

auth required /usr/local/lib/pam_pop3.so hostname=localhost info pwprompt=Password: timeout=5
account required pam_permit.so

As the POP3 server I use `popa3d` invoked from inetd, rate limited. In order to
exclude Exim auth checks from rate limiting, I use a firewall redirecting
queries from localhost to another port:

add 10 reset tcp from not me to me 109
add 20 fwd lena.kiev.ua,109 tcp from me to me 110
add 2000 allow ip from any to any

In /etc/inetd.conf :

pop3    stream  tcp  nowait/0/5 root    /usr/local/libexec/popa3d       popa3d
pop3s   stream  tcp  nowait/0/7 root    /usr/local/bin/stunnel stunnel /usr/local/etc/stunnel/popa3d.conf
# 109:
pop2    stream  tcp     nowait  root    /usr/local/libexec/popa3d       popa3d


/usr/local/etc/stunnel/popa3d.conf :

debug = 4
compression = zlib
pid =
cert = /usr/local/etc/stunnel/stunnel.pem
exec = /usr/local/libexec/popa3d
execargs = popa3d
options = NO_SSLv2
options = NO_SSLv3

In Exim+openssl I do allow (in openssl3 make config) SSL3, TLS1_1, TLS1_2,
DES, IDEA, RC2, RC3, RC5, WEAK-SSL-CIPHERS
because an alternative would be worse (fallback to plaintext).
Without tls_require_ciphers in Exim config, only:

tls_certificate = /etc/ssl/exim.crt
tls_privatekey = /etc/ssl/exim.pem
tls_dhparam = /usr/local/etc/exim/dhparam.pem
tls_advertise_hosts = ${if match{$sender_host_name}{\N\.mailgun\.us$\N}{}{*}}


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/