This site is now 100% read-only, and retired.

Exim4 SMTP Auth for the Real World

Posted by tubaman on Wed 11 Mar 2009 at 14:42

I tried several times to get SMTP authentication working for use in a modern environment with much wailing and gnashing of teeth. For starters, I don't want to have to authenticate every client on my LAN. Clients coming from my home subnet should be trusted by IP and should not have to authenticate. Secondly, I want to be able to relay mail from any client if that client authenticates via TLS from anywhere on the internet. Hopefully this will save other people some time and sanity.

(Some of this tutorial is stolen from this previous article and this was originally set up on Lenny.)

I have my Exim config split into small files(dc_use_split_config in /etc/exim4/update-exim4.conf.conf) so this might be a little different if you've set yours up in one monolithic file. Also, make sure that Exim is already relaying properly from your local subnet. Ok, here we go. Generate an SSL certificate for Exim:

# /usr/share/doc/exim4-base/examples/exim-gencert

Next, edit /etc/exim4/conf.d/auth/30_exim4-config_examples and uncomment:

# plain_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$
#   server_set_id = $2
#   server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

That will enable the server to authenticate clients - Don't be frightened by the word 'plaintext' there. We'll be doing all authentication over TLS. Now add this to the bottom of /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:

MAIN_TLS_ENABLE = true

Setup the users and passwords using /usr/share/doc/exim4/examples/exim-adduser. Make sure you fix permissions on /etc/exim4/passwd so that your secret stuff can't be seen by everyone!

# chown root:Debian-exim /etc/exim4/passwd
# chmod 640 /etc/exim4/passwd

OK, now you're all set. Oh wait... no. That sucks because all the clients on the LAN have to authenticate now. Let's fix that. Create a this file: /etc/exim4/conf.d/main/20_local_auth_advertise_hosts like this:

auth_advertise_hosts = ! 192.168.0.0/24
hostlist host_auth_accept_relay = *

where 192.168.0.0/24 is your local subnet. This will ensure that the clients on your local LAN don't have to authenticate but everybody else does! As usual, update and restart:

# update-exim4.conf
# /etc/init.d/exim4 restart

Thanks to all the fine tutorial writers who have made this "cut-and-paste from other sources" possible.

 

 


Re: Exim4 SMTP Auth for the Real World
Posted by Anonymous (195.24.xx.xx) on Mon 16 Mar 2009 at 12:51
I've lost count of how many people have told me over the years that Exim is better than sendmail because it's easy to configure. If you wanted to achieve this with sendmail, you enable SMTP AUTH like so:-

define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

And then you except the local subnet lie this:-

FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl

and in the access file:-

localhost RELAY
127.0.0.1 RELAY
192.168.1 RELAY

That's a whole 7 lines of config options, and to me they're a lot more readable than the Exim ones listed here....

[ Parent ]

Re: Exim4 SMTP Auth for the Real World
Posted by tubaman (97.77.xx.xx) on Mon 16 Mar 2009 at 16:04
[ View Weblogs ]
Yeah, I just use Exim because I know it... not because it's necessarily better than sendmail or postfix or (insert your favorite MTA).

[ Parent ]

Re: Exim4 SMTP Auth for the Real World
Posted by Anonymous (190.169.xx.xx) on Mon 16 Mar 2009 at 20:55
Postfix! (:

[ Parent ]

Re: Exim4 SMTP Auth for the Real World
Posted by Anonymous (71.63.xx.xx) on Wed 27 May 2009 at 21:49
"and to me they're a lot more readable"
This is a strong indication of sendmail-related brain damage syndrome ;)

[ Parent ]

Re: Exim4 SMTP Auth for the Real World
Posted by Anonymous (87.81.xx.xx) on Thu 11 Jun 2009 at 23:40
Please update this article with missing setting for listening on 587 port, ie from another article http://www.debian-administration.org/users/lee/weblog/19

echo "daemon_smtp_ports = smtp : 587" > /etc/exim4/conf.d/main/00_local_settings

[ Parent ]

Re: Exim4 SMTP Auth for the Real World
Posted by Anonymous (98.125.xx.xx) on Wed 15 Sep 2010 at 23:43
This did not work for me until I made the following change:

In 01_exim4-config_listmacrosdefs

I replaced this:
hostlist relay_from_hosts = MAIN_RELAY_NETS

With this:

hostlist relay_from_hosts = *

(my logic being that this was necessary for connecting via any IP on the internet??)


Is this a huge security hole that would allow anybody to spam using my server? It seems that as long as I have TLS properly configured and a valid username/password I'm OK??????

[ Parent ]

Re: Exim4 SMTP Auth for the Real World
Posted by Anonymous (109.204.xx.xx) on Sat 19 Jan 2013 at 09:44
I'm pretty sure it is a huge security hole. Didn't need to set that and from what I gather from the package configuration, this option is for addresses you want to trust.

[ Parent ]

Re: Exim4 SMTP Auth for the Real World
Posted by tivincent (82.230.xx.xx) on Thu 12 Jan 2012 at 07:25
Thanks a lot ! It works for me...

However, it seems that Exim4 could not see my /etc/aliases.
the command
> echo "coucou" | mail -s "test" myusername
tries to send a mail to myusername@mydomain.org, instead of catching the email specified in /etc/aliases for the user myusername...

Any ideas ?

Thanks a lot !

[ Parent ]