summaryrefslogtreecommitdiffstats
path: root/debian/debconf/conf.d/auth/30_exim4-config_examples
diff options
context:
space:
mode:
Diffstat (limited to 'debian/debconf/conf.d/auth/30_exim4-config_examples')
-rw-r--r--debian/debconf/conf.d/auth/30_exim4-config_examples282
1 files changed, 282 insertions, 0 deletions
diff --git a/debian/debconf/conf.d/auth/30_exim4-config_examples b/debian/debconf/conf.d/auth/30_exim4-config_examples
new file mode 100644
index 0000000..21b32f8
--- /dev/null
+++ b/debian/debconf/conf.d/auth/30_exim4-config_examples
@@ -0,0 +1,282 @@
+
+### auth/30_exim4-config_examples
+#################################
+
+# The examples below are for server side authentication, when the
+# local exim is SMTP server and clients authenticate to the local exim.
+
+# They allow two styles of plain-text authentication against an
+# CONFDIR/passwd file whose syntax is described in exim4_passwd(5).
+
+# Hosts that are allowed to use AUTH are defined by the
+# auth_advertise_hosts option in the main configuration. The default is
+# "*", which allows authentication to all hosts over all kinds of
+# connections if there is at least one authenticator defined here.
+# Authenticators which rely on unencrypted clear text passwords don't
+# advertise on unencrypted connections by default. Thus, it might be
+# wise to set up TLS to allow encrypted connections. If TLS cannot be
+# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
+# advertise unencrypted clear text password based authenticators on all
+# connections. As this is severely reducing security, using TLS is
+# preferred over allowing clear text password based authenticators on
+# unencrypted connections.
+
+# PLAIN authentication has no server prompts. The client sends its
+# credentials in one lump, containing an authorization ID (which we do not
+# use), an authentication ID, and a password. The latter two appear as
+# $auth2 and $auth3 in the configuration and should be checked against a
+# valid username and password. In a real configuration you would typically
+# use $auth2 as a lookup key, and compare $auth3 against the result of the
+# lookup, perhaps using the crypteq{}{} condition.
+
+# plain_server:
+# driver = plaintext
+# public_name = PLAIN
+# server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+# server_set_id = $auth2
+# server_prompts = :
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+
+# LOGIN authentication has traditional prompts and responses. There is no
+# authorization ID in this mechanism, so unlike PLAIN the username and
+# password are $auth1 and $auth2. Apart from that you can use the same
+# server_condition setting for both authenticators.
+
+# login_server:
+# driver = plaintext
+# public_name = LOGIN
+# server_prompts = "Username:: : Password::"
+# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+# server_set_id = $auth1
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+#
+# cram_md5_server:
+# driver = cram_md5
+# public_name = CRAM-MD5
+# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
+# server_set_id = $auth1
+
+# Here is an example of CRAM-MD5 authentication against PostgreSQL:
+#
+# psqldb_auth_server:
+# driver = cram_md5
+# public_name = CRAM-MD5
+# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
+# server_set_id = $auth1
+
+# Authenticate against local passwords using sasl2-bin
+# Requires exim_uid to be a member of sasl group, see README.Debian.gz
+# plain_saslauthd_server:
+# driver = plaintext
+# public_name = PLAIN
+# server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
+# server_set_id = $auth2
+# server_prompts = :
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+#
+# login_saslauthd_server:
+# driver = plaintext
+# public_name = LOGIN
+# server_prompts = "Username:: : Password::"
+# # don't send system passwords over unencrypted connections
+# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
+# server_set_id = $auth1
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+#
+# ntlm_sasl_server:
+# driver = cyrus_sasl
+# public_name = NTLM
+# server_realm = <short main hostname>
+# server_set_id = $auth1
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+#
+# digest_md5_sasl_server:
+# driver = cyrus_sasl
+# public_name = DIGEST-MD5
+# server_realm = <short main hostname>
+# server_set_id = $auth1
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+
+# Authentcate against cyrus-sasl
+# This is mainly untested, please report any problems to
+# pkg-exim4-users@lists.alioth.debian.org.
+# cram_md5_sasl_server:
+# driver = cyrus_sasl
+# public_name = CRAM-MD5
+# server_realm = <short main hostname>
+# server_set_id = $auth1
+#
+# plain_sasl_server:
+# driver = cyrus_sasl
+# public_name = PLAIN
+# server_realm = <short main hostname>
+# server_set_id = $auth1
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+#
+# login_sasl_server:
+# driver = cyrus_sasl
+# public_name = LOGIN
+# server_realm = <short main hostname>
+# server_set_id = $auth1
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+
+# Authenticate against courier authdaemon
+
+# This is now the (working!) example from
+# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
+# Possible pitfall: access rights on /run/courier/authdaemon/socket.
+# plain_courier_authdaemon:
+# driver = plaintext
+# public_name = PLAIN
+# server_condition = \
+# ${extract {ADDRESS} \
+# {${readsocket{/run/courier/authdaemon/socket} \
+# {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
+# {yes} \
+# fail}
+# server_set_id = $auth2
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+
+# login_courier_authdaemon:
+# driver = plaintext
+# public_name = LOGIN
+# server_prompts = Username:: : Password::
+# server_condition = \
+# ${extract {ADDRESS} \
+# {${readsocket{/run/courier/authdaemon/socket} \
+# {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
+# {yes} \
+# fail}
+# server_set_id = $auth1
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+
+# This one is a bad hack to support the broken version 4.xx of
+# Microsoft Outlook Express which violates the RFCs by demanding
+# "250-AUTH=" instead of "250-AUTH ".
+# If your list of offered authenticators is other than PLAIN and LOGIN,
+# you need to adapt the public_name line manually.
+# It has to be the last authenticator to work and has not been tested
+# well. Use at your own risk.
+# See the thread entry point from
+# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
+# for the related discussion on the exim-users mailing list.
+# Thanks to Fred Viles for this great work.
+
+# support_broken_outlook_express_4_server:
+# driver = plaintext
+# public_name = "\r\n250-AUTH=PLAIN LOGIN"
+# server_prompts = User Name : Password
+# server_condition = no
+# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+# .endif
+
+# Use dovecot as authentication backend
+# Requires changes to dovecot configuration:
+# 8X---------------------
+# --- /etc/dovecot/conf.d/10-master.conf 2020-12-22 13:26:52.000000000 +0000
+# +++ /etc/dovecot/conf.d/10-master.conf 2022-07-13 11:17:02.479100984 +0000
+# @@ -108,6 +108,14 @@
+# # mode = 0666
+# #}
+#
+# +### SASL listener for exim start
+# + # SASL exim
+# + unix_listener /var/spool/exim4/dovecot.auth-client {
+# + mode = 0660
+# + group = Debian-exim
+# + }
+# +### SASL listener for exim end
+# +
+# # Auth process is run as this user.
+# #user = $default_internal_user
+# }
+# 8X---------------------
+#
+# dovecot_plain_server:
+# driver = dovecot
+# public_name = PLAIN
+# server_socket = /var/spool/exim4/dovecot.auth-client
+# server_set_id = $auth1
+
+##############
+# See /usr/share/doc/exim4-base/README.Debian.gz
+##############
+
+# These examples below are the equivalent for client side authentication.
+# They get the passwords from CONFDIR/passwd.client, whose format is
+# defined in exim4_passwd_client(5)
+
+# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
+# only allow these mechanisms over encrypted connections by default.
+# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
+# clear text password authentication on all connections.
+
+cram_md5:
+ driver = cram_md5
+ public_name = CRAM-MD5
+ client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
+ client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
+
+# this returns the matching line from passwd.client and doubles all ^
+PASSWDLINE=${sg{\
+ ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
+ }\
+ {\\N[\\^]\\N}\
+ {^^}\
+ }
+
+plain:
+ driver = plaintext
+ public_name = PLAIN
+.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
+ client_send = "<; ${if !eq{$tls_out_cipher}{}\
+ {^${extract{1}{:}{PASSWDLINE}}\
+ ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
+ }fail}"
+.else
+ client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
+ ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
+.endif
+
+login:
+ driver = plaintext
+ public_name = LOGIN
+.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
+ # Return empty string if not non-TLS AND looking up $host in passwd-file
+ # yields a non-empty string; fail otherwise.
+ client_send = "<; ${if and{\
+ {!eq{$tls_out_cipher}{}}\
+ {!eq{PASSWDLINE}{}}\
+ }\
+ {}fail}\
+ ; ${extract{1}{::}{PASSWDLINE}}\
+ ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
+.else
+ # Return empty string if looking up $host in passwd-file yields a
+ # non-empty string; fail otherwise.
+ client_send = "<; ${if !eq{PASSWDLINE}{}\
+ {}fail}\
+ ; ${extract{1}{::}{PASSWDLINE}}\
+ ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
+.endif