diff options
Diffstat (limited to 'debian/debconf/conf.d/auth/30_exim4-config_examples')
-rw-r--r-- | debian/debconf/conf.d/auth/30_exim4-config_examples | 282 |
1 files changed, 282 insertions, 0 deletions
diff --git a/debian/debconf/conf.d/auth/30_exim4-config_examples b/debian/debconf/conf.d/auth/30_exim4-config_examples new file mode 100644 index 0000000..21b32f8 --- /dev/null +++ b/debian/debconf/conf.d/auth/30_exim4-config_examples @@ -0,0 +1,282 @@ + +### auth/30_exim4-config_examples +################################# + +# The examples below are for server side authentication, when the +# local exim is SMTP server and clients authenticate to the local exim. + +# They allow two styles of plain-text authentication against an +# CONFDIR/passwd file whose syntax is described in exim4_passwd(5). + +# Hosts that are allowed to use AUTH are defined by the +# auth_advertise_hosts option in the main configuration. The default is +# "*", which allows authentication to all hosts over all kinds of +# connections if there is at least one authenticator defined here. +# Authenticators which rely on unencrypted clear text passwords don't +# advertise on unencrypted connections by default. Thus, it might be +# wise to set up TLS to allow encrypted connections. If TLS cannot be +# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to +# advertise unencrypted clear text password based authenticators on all +# connections. As this is severely reducing security, using TLS is +# preferred over allowing clear text password based authenticators on +# unencrypted connections. + +# PLAIN authentication has no server prompts. The client sends its +# credentials in one lump, containing an authorization ID (which we do not +# use), an authentication ID, and a password. The latter two appear as +# $auth2 and $auth3 in the configuration and should be checked against a +# valid username and password. In a real configuration you would typically +# use $auth2 as a lookup key, and compare $auth3 against the result of the +# lookup, perhaps using the crypteq{}{} condition. + +# plain_server: +# driver = plaintext +# public_name = PLAIN +# server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" +# server_set_id = $auth2 +# server_prompts = : +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# LOGIN authentication has traditional prompts and responses. There is no +# authorization ID in this mechanism, so unlike PLAIN the username and +# password are $auth1 and $auth2. Apart from that you can use the same +# server_condition setting for both authenticators. + +# login_server: +# driver = plaintext +# public_name = LOGIN +# server_prompts = "Username:: : Password::" +# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# cram_md5_server: +# driver = cram_md5 +# public_name = CRAM-MD5 +# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}} +# server_set_id = $auth1 + +# Here is an example of CRAM-MD5 authentication against PostgreSQL: +# +# psqldb_auth_server: +# driver = cram_md5 +# public_name = CRAM-MD5 +# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} +# server_set_id = $auth1 + +# Authenticate against local passwords using sasl2-bin +# Requires exim_uid to be a member of sasl group, see README.Debian.gz +# plain_saslauthd_server: +# driver = plaintext +# public_name = PLAIN +# server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} +# server_set_id = $auth2 +# server_prompts = : +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# login_saslauthd_server: +# driver = plaintext +# public_name = LOGIN +# server_prompts = "Username:: : Password::" +# # don't send system passwords over unencrypted connections +# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# ntlm_sasl_server: +# driver = cyrus_sasl +# public_name = NTLM +# server_realm = <short main hostname> +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# digest_md5_sasl_server: +# driver = cyrus_sasl +# public_name = DIGEST-MD5 +# server_realm = <short main hostname> +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# Authentcate against cyrus-sasl +# This is mainly untested, please report any problems to +# pkg-exim4-users@lists.alioth.debian.org. +# cram_md5_sasl_server: +# driver = cyrus_sasl +# public_name = CRAM-MD5 +# server_realm = <short main hostname> +# server_set_id = $auth1 +# +# plain_sasl_server: +# driver = cyrus_sasl +# public_name = PLAIN +# server_realm = <short main hostname> +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# login_sasl_server: +# driver = cyrus_sasl +# public_name = LOGIN +# server_realm = <short main hostname> +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# Authenticate against courier authdaemon + +# This is now the (working!) example from +# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 +# Possible pitfall: access rights on /run/courier/authdaemon/socket. +# plain_courier_authdaemon: +# driver = plaintext +# public_name = PLAIN +# server_condition = \ +# ${extract {ADDRESS} \ +# {${readsocket{/run/courier/authdaemon/socket} \ +# {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \ +# {yes} \ +# fail} +# server_set_id = $auth2 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# login_courier_authdaemon: +# driver = plaintext +# public_name = LOGIN +# server_prompts = Username:: : Password:: +# server_condition = \ +# ${extract {ADDRESS} \ +# {${readsocket{/run/courier/authdaemon/socket} \ +# {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \ +# {yes} \ +# fail} +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# This one is a bad hack to support the broken version 4.xx of +# Microsoft Outlook Express which violates the RFCs by demanding +# "250-AUTH=" instead of "250-AUTH ". +# If your list of offered authenticators is other than PLAIN and LOGIN, +# you need to adapt the public_name line manually. +# It has to be the last authenticator to work and has not been tested +# well. Use at your own risk. +# See the thread entry point from +# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html +# for the related discussion on the exim-users mailing list. +# Thanks to Fred Viles for this great work. + +# support_broken_outlook_express_4_server: +# driver = plaintext +# public_name = "\r\n250-AUTH=PLAIN LOGIN" +# server_prompts = User Name : Password +# server_condition = no +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# Use dovecot as authentication backend +# Requires changes to dovecot configuration: +# 8X--------------------- +# --- /etc/dovecot/conf.d/10-master.conf 2020-12-22 13:26:52.000000000 +0000 +# +++ /etc/dovecot/conf.d/10-master.conf 2022-07-13 11:17:02.479100984 +0000 +# @@ -108,6 +108,14 @@ +# # mode = 0666 +# #} +# +# +### SASL listener for exim start +# + # SASL exim +# + unix_listener /var/spool/exim4/dovecot.auth-client { +# + mode = 0660 +# + group = Debian-exim +# + } +# +### SASL listener for exim end +# + +# # Auth process is run as this user. +# #user = $default_internal_user +# } +# 8X--------------------- +# +# dovecot_plain_server: +# driver = dovecot +# public_name = PLAIN +# server_socket = /var/spool/exim4/dovecot.auth-client +# server_set_id = $auth1 + +############## +# See /usr/share/doc/exim4-base/README.Debian.gz +############## + +# These examples below are the equivalent for client side authentication. +# They get the passwords from CONFDIR/passwd.client, whose format is +# defined in exim4_passwd_client(5) + +# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we +# only allow these mechanisms over encrypted connections by default. +# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted +# clear text password authentication on all connections. + +cram_md5: + driver = cram_md5 + public_name = CRAM-MD5 + client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} + client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} + +# this returns the matching line from passwd.client and doubles all ^ +PASSWDLINE=${sg{\ + ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ + }\ + {\\N[\\^]\\N}\ + {^^}\ + } + +plain: + driver = plaintext + public_name = PLAIN +.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS + client_send = "<; ${if !eq{$tls_out_cipher}{}\ + {^${extract{1}{:}{PASSWDLINE}}\ + ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ + }fail}" +.else + client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\ + ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" +.endif + +login: + driver = plaintext + public_name = LOGIN +.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS + # Return empty string if not non-TLS AND looking up $host in passwd-file + # yields a non-empty string; fail otherwise. + client_send = "<; ${if and{\ + {!eq{$tls_out_cipher}{}}\ + {!eq{PASSWDLINE}{}}\ + }\ + {}fail}\ + ; ${extract{1}{::}{PASSWDLINE}}\ + ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" +.else + # Return empty string if looking up $host in passwd-file yields a + # non-empty string; fail otherwise. + client_send = "<; ${if !eq{PASSWDLINE}{}\ + {}fail}\ + ; ${extract{1}{::}{PASSWDLINE}}\ + ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" +.endif |