-
-### auth/30_exim4-config_examples
-#################################
-
-# The examples below are for server side authentication, when the
-# local exim is SMTP server and clients authenticate to the local exim.
-
-# They allow two styles of plain-text authentication against an
-# CONFDIR/passwd file whose syntax is described in exim4_passwd(5).
-
-# Hosts that are allowed to use AUTH are defined by the
-# auth_advertise_hosts option in the main configuration. The default is
-# "*", which allows authentication to all hosts over all kinds of
-# connections if there is at least one authenticator defined here.
-# Authenticators which rely on unencrypted clear text passwords don't
-# advertise on unencrypted connections by default. Thus, it might be
-# wise to set up TLS to allow encrypted connections. If TLS cannot be
-# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
-# advertise unencrypted clear text password based authenticators on all
-# connections. As this is severely reducing security, using TLS is
-# preferred over allowing clear text password based authenticators on
-# unencrypted connections.
-
-# PLAIN authentication has no server prompts. The client sends its
-# credentials in one lump, containing an authorization ID (which we do not
-# use), an authentication ID, and a password. The latter two appear as
-# $auth2 and $auth3 in the configuration and should be checked against a
-# valid username and password. In a real configuration you would typically
-# use $auth2 as a lookup key, and compare $auth3 against the result of the
-# lookup, perhaps using the crypteq{}{} condition.
-
-# plain_server:
-# driver = plaintext
-# public_name = PLAIN
-# server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
-# server_set_id = $auth2
-# server_prompts = :
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-
-# LOGIN authentication has traditional prompts and responses. There is no
-# authorization ID in this mechanism, so unlike PLAIN the username and
-# password are $auth1 and $auth2. Apart from that you can use the same
-# server_condition setting for both authenticators.
-
-# login_server:
-# driver = plaintext
-# public_name = LOGIN
-# server_prompts = "Username:: : Password::"
-# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
-# server_set_id = $auth1
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-#
-# cram_md5_server:
-# driver = cram_md5
-# public_name = CRAM-MD5
-# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
-# server_set_id = $auth1
-
-# Here is an example of CRAM-MD5 authentication against PostgreSQL:
-#
-# psqldb_auth_server:
-# driver = cram_md5
-# public_name = CRAM-MD5
-# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
-# server_set_id = $auth1
-
-# Authenticate against local passwords using sasl2-bin
-# Requires exim_uid to be a member of sasl group, see README.Debian.gz
-# plain_saslauthd_server:
-# driver = plaintext
-# public_name = PLAIN
-# server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
-# server_set_id = $auth2
-# server_prompts = :
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-#
-# login_saslauthd_server:
-# driver = plaintext
-# public_name = LOGIN
-# server_prompts = "Username:: : Password::"
-# # don't send system passwords over unencrypted connections
-# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
-# server_set_id = $auth1
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-#
-# ntlm_sasl_server:
-# driver = cyrus_sasl
-# public_name = NTLM
-# server_realm = <short main hostname>
-# server_set_id = $auth1
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-#
-# digest_md5_sasl_server:
-# driver = cyrus_sasl
-# public_name = DIGEST-MD5
-# server_realm = <short main hostname>
-# server_set_id = $auth1
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-
-# Authentcate against cyrus-sasl
-# This is mainly untested, please report any problems to
-# pkg-exim4-users@lists.alioth.debian.org.
-# cram_md5_sasl_server:
-# driver = cyrus_sasl
-# public_name = CRAM-MD5
-# server_realm = <short main hostname>
-# server_set_id = $auth1
-#
-# plain_sasl_server:
-# driver = cyrus_sasl
-# public_name = PLAIN
-# server_realm = <short main hostname>
-# server_set_id = $auth1
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-#
-# login_sasl_server:
-# driver = cyrus_sasl
-# public_name = LOGIN
-# server_realm = <short main hostname>
-# server_set_id = $auth1
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-
-# Authenticate against courier authdaemon
-
-# This is now the (working!) example from
-# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
-# Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
-# plain_courier_authdaemon:
-# driver = plaintext
-# public_name = PLAIN
-# server_condition = \
-# ${extract {ADDRESS} \
-# {${readsocket{/var/run/courier/authdaemon/socket} \
-# {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
-# {yes} \
-# fail}
-# server_set_id = $auth2
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-
-# login_courier_authdaemon:
-# driver = plaintext
-# public_name = LOGIN
-# server_prompts = Username:: : Password::
-# server_condition = \
-# ${extract {ADDRESS} \
-# {${readsocket{/var/run/courier/authdaemon/socket} \
-# {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
-# {yes} \
-# fail}
-# server_set_id = $auth1
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-
-# This one is a bad hack to support the broken version 4.xx of
-# Microsoft Outlook Express which violates the RFCs by demanding
-# "250-AUTH=" instead of "250-AUTH ".
-# If your list of offered authenticators is other than PLAIN and LOGIN,
-# you need to adapt the public_name line manually.
-# It has to be the last authenticator to work and has not been tested
-# well. Use at your own risk.
-# See the thread entry point from
-# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
-# for the related discussion on the exim-users mailing list.
-# Thanks to Fred Viles for this great work.
-
-# support_broken_outlook_express_4_server:
-# driver = plaintext
-# public_name = "\r\n250-AUTH=PLAIN LOGIN"
-# server_prompts = User Name : Password
-# server_condition = no
-# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-# .endif
-
-##############
-# See /usr/share/doc/exim4-base/README.Debian.gz
-##############
-
-# These examples below are the equivalent for client side authentication.
-# They get the passwords from CONFDIR/passwd.client, whose format is
-# defined in exim4_passwd_client(5)
-
-# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
-# only allow these mechanisms over encrypted connections by default.
-# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
-# clear text password authentication on all connections.
-
-cram_md5:
- driver = cram_md5
- public_name = CRAM-MD5
- client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
- client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
-
-# this returns the matching line from passwd.client and doubles all ^
-PASSWDLINE=${sg{\
- ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
- }\
- {\\N[\\^]\\N}\
- {^^}\
- }
-
-plain:
- driver = plaintext
- public_name = PLAIN
-.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
- client_send = "<; ${if !eq{$tls_cipher}{}\
- {^${extract{1}{:}{PASSWDLINE}}\
- ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
- }fail}"
-.else
- client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
- ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-.endif
-
-login:
- driver = plaintext
- public_name = LOGIN
-.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
- # Return empty string if not non-TLS AND looking up $host in passwd-file
- # yields a non-empty string; fail otherwise.
- client_send = "<; ${if and{\
- {!eq{$tls_cipher}{}}\
- {!eq{PASSWDLINE}{}}\
- }\
- {}fail}\
- ; ${extract{1}{::}{PASSWDLINE}}\
- ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-.else
- # Return empty string if looking up $host in passwd-file yields a
- # non-empty string; fail otherwise.
- client_send = "<; ${if !eq{PASSWDLINE}{}\
- {}fail}\
- ; ${extract{1}{::}{PASSWDLINE}}\
- ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-.endif