Weblog entry #19 for lee

See all weblog entries made by lee.

XML logo

#19
Quick setup for Exim4 TLS/SMTP-AUTH
Posted by lee on Mon 19 Jun 2006 at 16:52
Tags: ,

While this is information readily available elsewhere, I'm just going to drop some notes here in case I need to refer to this at some point int he future.

The office mailserver runs Exim and courier IMAP/POP3. A user who normally accesses and sends mail from the office is now in a foreign hotel trying to send email, however the relay rules until now have been entirely based on IP ranges.

Setting up authentication

Since we already have courier-authdaemon running we may as well use it for authentication. I copied the following from /etc/exim4/conf.d/auth/30_exim4-config_examples into /etc/exim4/conf.d/auth/10_local-courier_authdaemon

plain_courier_authdaemon:
   driver = plaintext
   public_name = PLAIN
   server_condition = \
      ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
      {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n}}}{FAIL\n}{no}{yes}}
   server_set_id = $2
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   .endif

login_courier_authdaemon:
   driver = plaintext
   public_name = LOGIN
   server_prompts = Username:: : Password::
   server_condition = ${if eq {${readsocket{/var/run/courier/authdaemon/socket} \
      {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n}}}{FAIL\n}{no}{yes}}
   server_set_id = $1
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   .endif

Then I need to allow access for the Exim process to the socket file, I did this by adding Exim to the daemon group (which may, potentially, have security issues?). 

sudo usermod -G daemon Debian-exim

Setting up TLS

Since we don't want to use plaintext authentication over the Internet, we need to have TLS available.

First run /usr/share/doc/exim4/examples/exim-gencert and follow the prompts to create a self-signed certificate. Then edit /etc/exim4/conf.d/main/00_local_settings to include the line: 

MAIN_TLS_ENABLE = true

Setting up message submission

Port 25 is blocked at the remote location, so we need to listen on alternative port for SMTP-AUTH. Port 587 is the standard port for this service, so we have Exim listen on both Port 25 and 587 by adding the following to /etc/exim4/conf.d/main/00_local_settings

daemon_smtp_ports = smtp : 587

Not just run "update-exim4.conf" and restart the daemon, and everything should work correctly.

[ 1 Comment | Add Comment | XML logo ]
<<< Previous Next >>>

 

Comments on this Entry

#1
Re: Quick setup for Exim4 TLS/SMTP-AUTH
Posted by Anonymous (202.7.xx.xx) on Tue 15 Apr 2008 at 03:58
Make sure you have NOT specified the port in your /etc/exim4/update-exim4.conf.conf:

dc_local_interfaces='0.0.0.0.25'

Change this to:

dc_local_interfaces='0.0.0.0'

or only the IP you want to listen on.

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Mail Filtering

Quick Site Search