Server IP : 85.214.239.14 / Your IP : 18.118.137.13 Web Server : Apache/2.4.62 (Debian) System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Tue Jan 9 19:45:01 MSK 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.18 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : OFF | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /proc/2/root/proc/3/root/etc/exim4/conf.d/auth/ |
Upload File : |
### auth/30_exim4-config_examples ################################# # The examples below are for server side authentication, when the # local exim is SMTP server and clients authenticate to the local exim. # They allow two styles of plain-text authentication against an # CONFDIR/passwd file whose syntax is described in exim4_passwd(5). # Hosts that are allowed to use AUTH are defined by the # auth_advertise_hosts option in the main configuration. The default is # "*", which allows authentication to all hosts over all kinds of # connections if there is at least one authenticator defined here. # Authenticators which rely on unencrypted clear text passwords don't # advertise on unencrypted connections by default. Thus, it might be # wise to set up TLS to allow encrypted connections. If TLS cannot be # used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to # advertise unencrypted clear text password based authenticators on all # connections. As this is severely reducing security, using TLS is # preferred over allowing clear text password based authenticators on # unencrypted connections. # PLAIN authentication has no server prompts. The client sends its # credentials in one lump, containing an authorization ID (which we do not # use), an authentication ID, and a password. The latter two appear as # $auth2 and $auth3 in the configuration and should be checked against a # valid username and password. In a real configuration you would typically # use $auth2 as a lookup key, and compare $auth3 against the result of the # lookup, perhaps using the crypteq{}{} condition. # plain_server: # driver = plaintext # public_name = PLAIN # server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" # server_set_id = $auth2 # server_prompts = : # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # LOGIN authentication has traditional prompts and responses. There is no # authorization ID in this mechanism, so unlike PLAIN the username and # password are $auth1 and $auth2. Apart from that you can use the same # server_condition setting for both authenticators. # login_server: # driver = plaintext # public_name = LOGIN # server_prompts = "Username:: : Password::" # server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # # cram_md5_server: # driver = cram_md5 # public_name = CRAM-MD5 # server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}} # server_set_id = $auth1 # Here is an example of CRAM-MD5 authentication against PostgreSQL: # # psqldb_auth_server: # driver = cram_md5 # public_name = CRAM-MD5 # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} # server_set_id = $auth1 # Authenticate against local passwords using sasl2-bin # Requires exim_uid to be a member of sasl group, see README.Debian.gz # plain_saslauthd_server: # driver = plaintext # public_name = PLAIN # server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} # server_set_id = $auth2 # server_prompts = : # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # # login_saslauthd_server: # driver = plaintext # public_name = LOGIN # server_prompts = "Username:: : Password::" # # don't send system passwords over unencrypted connections # server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # # ntlm_sasl_server: # driver = cyrus_sasl # public_name = NTLM # server_realm = <short main hostname> # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # # digest_md5_sasl_server: # driver = cyrus_sasl # public_name = DIGEST-MD5 # server_realm = <short main hostname> # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # Authentcate against cyrus-sasl # This is mainly untested, please report any problems to # pkg-exim4-users@lists.alioth.debian.org. # cram_md5_sasl_server: # driver = cyrus_sasl # public_name = CRAM-MD5 # server_realm = <short main hostname> # server_set_id = $auth1 # # plain_sasl_server: # driver = cyrus_sasl # public_name = PLAIN # server_realm = <short main hostname> # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # # login_sasl_server: # driver = cyrus_sasl # public_name = LOGIN # server_realm = <short main hostname> # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # Authenticate against courier authdaemon # This is now the (working!) example from # http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 # Possible pitfall: access rights on /run/courier/authdaemon/socket. # plain_courier_authdaemon: # driver = plaintext # public_name = PLAIN # server_condition = \ # ${extract {ADDRESS} \ # {${readsocket{/run/courier/authdaemon/socket} \ # {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \ # {yes} \ # fail} # server_set_id = $auth2 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # login_courier_authdaemon: # driver = plaintext # public_name = LOGIN # server_prompts = Username:: : Password:: # server_condition = \ # ${extract {ADDRESS} \ # {${readsocket{/run/courier/authdaemon/socket} \ # {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \ # {yes} \ # fail} # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # This one is a bad hack to support the broken version 4.xx of # Microsoft Outlook Express which violates the RFCs by demanding # "250-AUTH=" instead of "250-AUTH ". # If your list of offered authenticators is other than PLAIN and LOGIN, # you need to adapt the public_name line manually. # It has to be the last authenticator to work and has not been tested # well. Use at your own risk. # See the thread entry point from # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html # for the related discussion on the exim-users mailing list. # Thanks to Fred Viles for this great work. # support_broken_outlook_express_4_server: # driver = plaintext # public_name = "\r\n250-AUTH=PLAIN LOGIN" # server_prompts = User Name : Password # server_condition = no # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # Use dovecot as authentication backend # Requires changes to dovecot configuration: # 8X--------------------- # --- /etc/dovecot/conf.d/10-master.conf 2020-12-22 13:26:52.000000000 +0000 # +++ /etc/dovecot/conf.d/10-master.conf 2022-07-13 11:17:02.479100984 +0000 # @@ -108,6 +108,14 @@ # # mode = 0666 # #} # # +### SASL listener for exim start # + # SASL exim # + unix_listener /var/spool/exim4/dovecot.auth-client { # + mode = 0660 # + group = Debian-exim # + } # +### SASL listener for exim end # + # # Auth process is run as this user. # #user = $default_internal_user # } # 8X--------------------- # # dovecot_plain_server: # driver = dovecot # public_name = PLAIN # server_socket = /var/spool/exim4/dovecot.auth-client # server_set_id = $auth1 ############## # See /usr/share/doc/exim4-base/README.Debian.gz ############## # These examples below are the equivalent for client side authentication. # They get the passwords from CONFDIR/passwd.client, whose format is # defined in exim4_passwd_client(5) # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we # only allow these mechanisms over encrypted connections by default. # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted # clear text password authentication on all connections. cram_md5: driver = cram_md5 public_name = CRAM-MD5 client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} # this returns the matching line from passwd.client and doubles all ^ PASSWDLINE=${sg{\ ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ }\ {\\N[\\^]\\N}\ {^^}\ } plain: driver = plaintext public_name = PLAIN .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS client_send = "<; ${if !eq{$tls_out_cipher}{}\ {^${extract{1}{:}{PASSWDLINE}}\ ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ }fail}" .else client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\ ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" .endif login: driver = plaintext public_name = LOGIN .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS # Return empty string if not non-TLS AND looking up $host in passwd-file # yields a non-empty string; fail otherwise. client_send = "<; ${if and{\ {!eq{$tls_out_cipher}{}}\ {!eq{PASSWDLINE}{}}\ }\ {}fail}\ ; ${extract{1}{::}{PASSWDLINE}}\ ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" .else # Return empty string if looking up $host in passwd-file yields a # non-empty string; fail otherwise. client_send = "<; ${if !eq{PASSWDLINE}{}\ {}fail}\ ; ${extract{1}{::}{PASSWDLINE}}\ ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" .endif