Exim4 SMTP Auth for the Real World
Posted by tubaman on Wed 11 Mar 2009 at 14:42
I tried several times to get SMTP authentication working for use in a modern environment with much wailing and gnashing of teeth. For starters, I don't want to have to authenticate every client on my LAN. Clients coming from my home subnet should be trusted by IP and should not have to authenticate. Secondly, I want to be able to relay mail from any client if that client authenticates via TLS from anywhere on the internet. Hopefully this will save other people some time and sanity.
(Some of this tutorial is stolen from this previous article and this was originally set up on Lenny.)
I have my Exim config split into small files(dc_use_split_config in /etc/exim4/update-exim4.conf.conf) so this might be a little different if you've set yours up in one monolithic file. Also, make sure that Exim is already relaying properly from your local subnet. Ok, here we go. Generate an SSL certificate for Exim:
# /usr/share/doc/exim4-base/examples/exim-gencert
Next, edit /etc/exim4/conf.d/auth/30_exim4-config_examples and uncomment:
# plain_server:
# driver = plaintext
# public_name = PLAIN
# server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$
# server_set_id = $2
# server_prompts = :
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
# .endif
That will enable the server to authenticate clients - Don't be frightened by the word 'plaintext' there. We'll be doing all authentication over TLS. Now add this to the bottom of /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:
MAIN_TLS_ENABLE = true
Setup the users and passwords using /usr/share/doc/exim4/examples/exim-adduser. Make sure you fix permissions on /etc/exim4/passwd so that your secret stuff can't be seen by everyone!
# chown root:Debian-exim /etc/exim4/passwd # chmod 640 /etc/exim4/passwd
OK, now you're all set. Oh wait... no. That sucks because all the clients on the LAN have to authenticate now. Let's fix that. Create a this file: /etc/exim4/conf.d/main/20_local_auth_advertise_hosts like this:
auth_advertise_hosts = ! 192.168.0.0/24 hostlist host_auth_accept_relay = *
where 192.168.0.0/24 is your local subnet. This will ensure that the clients on your local LAN don't have to authenticate but everybody else does! As usual, update and restart:
# update-exim4.conf # /etc/init.d/exim4 restart
Thanks to all the fine tutorial writers who have made this "cut-and-paste from other sources" possible.
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
And then you except the local subnet lie this:-
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
and in the access file:-
localhost RELAY
127.0.0.1 RELAY
192.168.1 RELAY
That's a whole 7 lines of config options, and to me they're a lot more readable than the Exim ones listed here....
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
This is a strong indication of sendmail-related brain damage syndrome ;)
[ Parent | Reply to this comment ]
echo "daemon_smtp_ports = smtp : 587" > /etc/exim4/conf.d/main/00_local_settings
[ Parent | Reply to this comment ]