HowTo Setup Basic SMTP AUTH in Exim4

Posted by Anonymous on Wed 26 Oct 2005 at 13:56

Tags: ,

This brief guide will explain the steps you can take to get basic SMTP AUTH working with Debian Sarge's exim4 package. (For users connecting to your server, not for forwarding via your ISP)

First of all generate an Exim SSL certificate:

# /usr/share/doc/exim4-base/examples/exim-gencert

Now edit /etc/exim4/exim4.conf.template using your favourite text editor.

Uncomment (don't copy and paste from here because my copy from file cut out end of lines) the following lines:

# plain_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$
#   server_set_id = $2
#   server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

Once that has been done create (or edit if it exists) /etc/exim4/exim4.conf.localmacros

Add the line:

MAIN_TLS_ENABLE = true

To actually setup the users and passwords create /etc/exim4/passwd

Copy output from:

htpasswd -nd usernameforsmtp

And paste it in /etc/exim4/passwd

Repeat for any other logins you'd like to add.

Now you're done. Update your configuration and Restart Exim4:

# update-exim4.conf
# /etc/init.d/exim4 restart

 

 


Posted by Serge (213.118.xx.xx) on Wed 26 Oct 2005 at 19:25
[ View Serge's Scratchpad | View Weblogs ]
If only someone could post such an easy explanation for Postfix :)

-- On a sidenote, I'm wondering if there exists some way to restrict an authenticated user, who's sending mail through SMTP, to a particular From: address field. E.g. to avoid spoofing, just as Gmail is doing.

--

Serge van Ginderachter


[ Parent | Reply to this comment ]

Posted by Anonymous (62.252.xx.xx) on Thu 12 Jan 2006 at 19:09
Umm, Google are not doing that.

[ Parent | Reply to this comment ]

Posted by Serge (84.194.xx.xx) on Thu 12 Jan 2006 at 21:49
[ View Serge's Scratchpad | View Weblogs ]
In my experience, Google rewrites the from header (or is it the reply to header?) from what you defined, to you gmail address.
Excepted if you use an other authorized email address.

So indeed, Google Mail does not deny your mail with an unknown address, but it does rewrite it.


--

Serge van Ginderachter


[ Parent | Reply to this comment ]

Posted by crazeduser (58.81.xx.xx) on Thu 13 Jul 2006 at 18:56
Actually you can register "additional accounts" with Gmail and after verifying that the account is yours (by clicking on a link in a verify email they send to the account), Gmail lets you send email with the From header set to that account, instead of your Gmail account.

HOWEVER in reality this is kinda useless, as Gmail still insists on adding a "Sender" header to your email with your Gmail account name. So you wind up with the From field set to your desired [external] account, and the Sender field being set to your Gmail account. What's the big deal, you ask? When Sender is present and it disagrees with From, it causes unpleasant output in some mail readers. For instance, Outlook displays a message with "From: Richard Foo [foo@bar.com]" and "Sender: www-data [www-data@bar.org]" like this:

From: www-data [mailto:www-data@bar.org] On Behalf Of Richard Foo

That is just ugly. Go Microsoft.

-Jim

[ Parent | Reply to this comment ]

Posted by Anonymous (71.33.xx.xx) on Tue 3 Oct 2006 at 20:31
After I set the password i get this:

usernameforsmtp:OwKKzye293Vo

What is this? Also, is this all that is necessary to be able to send and receive email, or do I need to set up a POP3 client for my server as well?

The documentation for Exim4 is pretty intimidating - does anyone know of a tutorial to get everything set and working up on a Debian system?

[ Parent | Reply to this comment ]

Posted by Piem (81.178.xx.xx) on Fri 28 Oct 2005 at 08:13
[ View Piem's Scratchpad ]
hi.
i just tried, but it doesn't seem to be enough for me. i get:
"503 AUTH command used when not advertised"
see this thread
cheers, piem

[ Parent | Reply to this comment ]

Posted by Piem (81.178.xx.xx) on Fri 28 Oct 2005 at 13:25
[ View Piem's Scratchpad ]
got it: you are using the monolithic file, i use the split version.

the files to edit/create in the split config are:
/etc/exim4/conf.d/auth/30_exim4-config_examples
/etc/exim4/conf.d/main/000_localmacros

cheers!

[ Parent | Reply to this comment ]

Posted by Anonymous (83.32.xx.xx) on Fri 4 Nov 2005 at 15:38
ok, i have done this, but i can telnet to por 25 and send email. have i forgotten something? sure, i suppose.

[ Parent | Reply to this comment ]

Posted by Anonymous (206.146.xx.xx) on Mon 21 Nov 2005 at 18:40
Same thing happens when I go through these steps as well. However, I did notice that in the auth/30_exim4-config_examples file (I use split-file config), it states:

"... Please note that apache's htpasswd program generates a file in the correct format, but uses a different crypt scheme. So, htpassword will NOT work for exim4."

I assumed that if that was the case I wouldn't be allowed to send the mail because of a password error. I did the standard `update-exim4.conf` and then restarted exim with `/etc/init.d/exim4 restart` to no avail. I'd be very interested in hearing what others have done to enable some kind of SMTP authentication as I want to be able to send mail from whichever network I have my laptop connected to at the time without having to jump through hoops to do so.

[ Parent | Reply to this comment ]

Posted by Anonymous (206.146.xx.xx) on Mon 21 Nov 2005 at 19:32
I think I may have found the problem that I had. I went back and did everything again, but this time I also commented out "dc_relay_nets" line in /etc/exim4/update-exim4.conf.conf (I use split-file config, so I don't know about the monolithic setup). I believe what was happening is that the host I was testing with telnet from was being allowed to relay without auth becuase it fell in the network of the "relay_from_hosts" setting. Once I removed that, re-generated the config and restarted, the auth started to work just fine.

Thanks to the author for getting things underway for me, and of course to the debian-administration.org website for hosting the great content (as always!)

[ Parent | Reply to this comment ]

Posted by Anonymous (64.61.xx.xx) on Tue 22 Nov 2005 at 01:15
If you are trying to send to a local domain when using telnet, it will work without the authentication. If you are unsure if you have a relay open, from the shell of the server, use:

telnet relay-test.mail-abuse.org

it will report to you whether or not the relay is open.

[ Parent | Reply to this comment ]

Posted by Anonymous (68.112.xx.xx) on Sat 4 Mar 2006 at 14:18
to get this to work with outlook express i had to use login instead of plain

[ Parent | Reply to this comment ]

Posted by Anonymous (71.214.xx.xx) on Sat 24 Jun 2006 at 18:59
If you are using split file configuration:

* the plain_server entry can be found in /etc/exim4/conf.d/auth/30_exim4-config_examples

* add the "MAIN_TLS_ENABLE = true" line to the file /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs

[ Parent | Reply to this comment ]

Posted by rdorsch (217.190.xx.xx) on Wed 20 Dec 2006 at 19:43
I followed the instructions and I got no TLS connection.

swaks --tls --auth --to rdorsch@web.de --server alzental-castle.de

hang at

<- 250 HELP
-> STARTTLS


The explanation was that the system had not enough entropy. For details, see

http://www.mail-archive.com/debian-bugs-rc%40lists.debian.org/msg 21083.html


The solution for me was to install

rng-tools - Daemon to use a Hardware TRNG

[ Parent | Reply to this comment ]

Posted by curt (70.228.xx.xx) on Fri 19 Jan 2007 at 03:37
I will make it even easier ..
You do still have to (I think) enable the tls and generate your certificates.
(why do maintainers add notes in very long README.Debian files and put the important stuff in the middle?)
But the SMTP AUTH part is already setup in the default debian install .. you just need to run
/usr/share/doc/exim4/examples/exim-adduser
This little proggy adds the correct username:hash:plainpass formatted entry in /etc/exim4/passwd automagically. The author of exim-adduser has a note at the bottom of the perl script under BUGS "Probably many, this really is just example code." but it does work.

EXIM4_FILES(5) states that you should use "mkpasswd -H md5" but in my test that must be broken or one of the exim4 conf files needs updated to accept that hash.

The only two directives in my /etc/exim4/conf.d/main/00_myconf are

MAIN_TLS_ENABLE = true
LOCAL_DELIVERY = maildir_home #exim4 starts using maildirs and creates them if they are missing.
-Curt

[ Parent | Reply to this comment ]

Posted by Grimnar (62.200.xx.xx) on Sun 21 Jan 2007 at 13:29
[ View Weblogs ]
Anyone got this working with vexim?

[ Parent | Reply to this comment ]

Posted by lee (193.82.xx.xx) on Mon 26 Feb 2007 at 17:33
[ View Weblogs ]
/usr/share/doc/exim4/examples/exim-adduser

Just a warning about this. The program (at least in exim4-base_4.50-8sarge2) creates the file with normal file permissions, which may be as root:root with octal permissions 644.

This leaves smtp-auth passwords exposed to local users. You need to fix the permissions by running:

sudo chown root:Debian-exim /etc/exim4/passwd
sudo chmod 640 /etc/exim4/passwd

[ Parent | Reply to this comment ]

Posted by Anonymous (69.108.xx.xx) on Thu 3 Apr 2008 at 21:07
I had to let you know that this article was amazing, simple, clear and absolutely helped me get up and running quickly. You have been such a help and a blessing to me!!

THANK YOU!!!

[ Parent | Reply to this comment ]

Posted by Anonymous (81.34.xx.xx) on Sat 12 Apr 2008 at 19:18
Hi friends! I have been unable to send mail from my linux (Ubuntu Gutsy Gibbon), after doing everything you have said. As /var/log/exim4/mainlog says, I always get the same error from smtp.gmail.com: 2008-04-12 20:08:57 1Jkk9p-0003Gv-0h <= root@gmail.com U=root P=local S=336 2008-04-12 20:08:58 1Jkk9p-0003Gv-0h ** my_email@gmail.com R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM: SIZE=1370: host gmail-smtp.l.google.com [66.249.91.109]: 530-5.5.1 Authentication Required. Learn more at\n530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257 z37sm6196362ikz.1 2008-04-12 20:08:58 1Jkk9q-0003Gy-CG <= <> R=1Jkk9p-0003Gv-0h U=Debian-exim P=local S=1363 2008-04-12 20:08:58 1Jkk9p-0003Gv-0h Completed 2008-04-12 20:08:59 1Jkk9q-0003Gy-CG ** root@gmail.com R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:<> SIZE=2422: host gmail-smtp.l.google.com [66.249.91.109]: 530-5.5.1 Authentication Required. Learn more at\n530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257 b36sm6193202ika.2 2008-04-12 20:08:59 1Jkk9q-0003Gy-CG Frozen (delivery error message) Which parameters whould I enter after executing "dpkg-reconfigure exim4-config"? It says: "authentication requires". May the problem be that the mail comes from root@gmail.com? Thanks.

[ Parent | Reply to this comment ]

Posted by Anonymous (195.102.xx.xx) on Tue 17 Jun 2008 at 11:55
I have multiple users setup on a single domain

e.g.
user1@domain.com
user2@domain.com
user3@domain.com

each has a separate gmail account and I have fetchmail pulling from each account.

Is there a way to setup exim to send each user with different gmail authentication so they don't all end up in the sent items for user1?

Thanks, David

[ Parent | Reply to this comment ]

Posted by Anonymous (203.177.xx.xx) on Fri 11 Jul 2008 at 05:59
i surrender. this doesnt work. after doing ehlo me, i dont see AUTH in the menu
and i get a syntactically invalid ehlo arguments error upon running my java program

[ Parent | Reply to this comment ]

Posted by Anonymous (64.20.xx.xx) on Tue 20 Jan 2009 at 04:46
This is great, but how do you get exim4 to REQUIRE auth. I followed these instructions and still my server is wide open to unauthorized relays.

[ Parent | Reply to this comment ]

Posted by Anonymous (24.5.xx.xx) on Fri 1 May 2009 at 22:53
to do the same but with cram-md5 authentication uncomment the following lines in /etc/exim4/exim4/conf.template *instead*:

# cram_md5_server:
# driver = cram_md5
# public_name = CRAM-MD5
# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fa il}}}
# server_set_id = $auth1

(these can be found immediately after the lines for login_server)

to generate hashes for /etc/exim4/passwd, run 'mkpasswd -H md5' (you may need to install the 'whois' package to get mkpasswd).

See: http://man.root.cz/5/exim4-config-files/#etc-exim4-passwd

[ Parent | Reply to this comment ]

Posted by Anonymous (67.68.xx.xx) on Wed 17 Feb 2010 at 16:55
I followed these steps and my server was un and running in no time, but I have noticed that even if every thing works, and I have no errors in my logs, when the clients connect to send mail it is verry slow even with small emails. Is there something else I should check. My server is only for outgoing mail.

[ Parent | Reply to this comment ]

Posted by Anonymous (84.192.xx.xx) on Tue 28 Sep 2010 at 20:51
For reasons that I don't feel like explaining now, I would like to have my relay server ask for auth on inbound smtp traffic and drop any auth on (relay) outbound traffic. How do i manage that?

Thanx in advance

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 58 votes ~ 0 comments )