User Tools

Site Tools


exim4:enable_smtp-auth

Exim4 - Enable SMTP-Auth

Generate an Exim SSL certificate

Exim provides a script for this. Either run:

/usr/share/doc/exim4-base/examples/exim-gencert

or create a certificate manually. Within the /etc/exim4 directory run:

openssl req -x509 -sha256 -days 9000 -nodes -newkey rsa:4096 -keyout exim.key -out exim.crt

Shows

Generating a 4096 bit RSA private key
............................................++
.............................................................................................................................++
writing new private key to 'exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Jersey
Locality Name (eg, city) []:St. Helier 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShareWiz
Organizational Unit Name (eg, section) []:Tech
Common Name (e.g. server FQDN or YOUR name) []:mail.sharewiz.net
Email Address []:admin@sharewiz.net

This will create an exim.key and exim.crt file in /etc/exim.

Enable the basic SMTP-Auth in the Exim config file

Uncomment the following lines. TODO dont do this but do the next step on sasl.

/etc/exim4/exim4.conf.template
# plain_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$
#   server_set_id = $2
#   server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

and

/etc/exim4/exim4.conf.template
login_server:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  server_set_id = $auth1
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

saslauthd Authentication

You need to configure Exim4 to use the saslauthd for authentication. Edit /etc/exim4/conf.d/auth/30_exim4-config_examples and uncomment the plain_saslauthd_server and login_saslauthd_server sections:

/etc/exim4/exim4.conf.template
 plain_saslauthd_server:
   driver = plaintext
   public_name = PLAIN
   server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
   server_set_id = $auth2
   server_prompts = :
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   .endif
#
 login_saslauthd_server:
   driver = plaintext
   public_name = LOGIN
   server_prompts = "Username:: : Password::"
   # don't send system passwords over unencrypted connections
   server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
   server_set_id = $auth1
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   .endif

Configuring SASL

This section provides details on configuring the saslauthd to provide authentication for Exim4.

Install the sasl2-bin package.

apt-get install sasl2-bin

To configure saslauthd edit the /etc/default/saslauthd configuration file and set START=no to:

/etc/default/saslauthd
START=yes

Next the Debian-exim user needs to be part of the sasl group in order for Exim4 to use the saslauthd service:

sudo adduser Debian-exim sasl

Now start the saslauthd service:

sudo /etc/init.d/saslauthd start

Exim4 is now configured with SMTP AUTH using TLS and SASL authentication.

Enable TLS

Create (or edit if it exists) /etc/exim4/exim4.conf.localmacros

Add the line:

/etc/exim4/exim4.conf.localmacros
MAIN_TLS_ENABLE = true

Setup the users and passwords

Users and their passwords are held within the /etc/exim4/passwd file in the following format:

:$Username:$password:

Create /etc/exim4/passwd if it does not exist.

Copy output from:

htpasswd -nd usernameforsmtp

or

mkpasswd -H md5

and paste it in /etc/exim4/passwd

Repeat for any other logins you'd like to add.

Set the permissions and ownership

This file should have permissions set to 640 and have ownership of root:Debian-exim.

chmod 640 /etc/exim4/passwd
Chown root:Debian-exim /etc/exim4/passwd

Update your configuration and Restart Exim4

update-exim4.conf
/etc/init.d/exim4 restart

An SMTP AUTH session

220-mail.xxxxxxxx.com ESMTP Exim 4.34 #1 Wed, 23 Jun 2004 17:35:13 -0700 
EHLO mail.myserver.com
250-mail.xxxxxxxx.com Hello mail.myserver.com [192.168.0.156]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
bXl1c2VybmFtZQ==
334 UGFzc3dvcmQ6
bXlwYXNzd29yZA==
235 Authentication succeeded

References

exim4/enable_smtp-auth.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki