X-Git-Url: https://git.stderr.nl/gitweb?a=blobdiff_plain;f=etc%2Fexim4%2Fconf.d%2Fauth%2F30_exim4-config_examples;fp=etc%2Fexim4%2Fconf.d%2Fauth%2F30_exim4-config_examples;h=0000000000000000000000000000000000000000;hb=00913fc5c4f0bd4a78df5fb067cfb10392aebe7c;hp=13853da158073532d2779fc89809f543b3583815;hpb=0625c01974df320cade3f9cd56674bcdfee0d9f3;p=matthijs%2Fservers%2Fdrsnuggles.git diff --git a/etc/exim4/conf.d/auth/30_exim4-config_examples b/etc/exim4/conf.d/auth/30_exim4-config_examples deleted file mode 100644 index 13853da..0000000 --- a/etc/exim4/conf.d/auth/30_exim4-config_examples +++ /dev/null @@ -1,254 +0,0 @@ - -### auth/30_exim4-config_examples -################################# - -# The examples below are for server side authentication, when the -# local exim is SMTP server and clients authenticate to the local exim. - -# They allow two styles of plain-text authentication against an -# CONFDIR/passwd file whose syntax is described in exim4_passwd(5). - -# Hosts that are allowed to use AUTH are defined by the -# auth_advertise_hosts option in the main configuration. The default is -# "*", which allows authentication to all hosts over all kinds of -# connections if there is at least one authenticator defined here. -# Authenticators which rely on unencrypted clear text passwords don't -# advertise on unencrypted connections by default. Thus, it might be -# wise to set up TLS to allow encrypted connections. If TLS cannot be -# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to -# advertise unencrypted clear text password based authenticators on all -# connections. As this is severely reducing security, using TLS is -# preferred over allowing clear text password based authenticators on -# unencrypted connections. - -# PLAIN authentication has no server prompts. The client sends its -# credentials in one lump, containing an authorization ID (which we do not -# use), an authentication ID, and a password. The latter two appear as -# $auth2 and $auth3 in the configuration and should be checked against a -# valid username and password. In a real configuration you would typically -# use $auth2 as a lookup key, and compare $auth3 against the result of the -# lookup, perhaps using the crypteq{}{} condition. - -# plain_server: -# driver = plaintext -# public_name = PLAIN -# server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" -# server_set_id = $auth2 -# server_prompts = : -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -# LOGIN authentication has traditional prompts and responses. There is no -# authorization ID in this mechanism, so unlike PLAIN the username and -# password are $auth1 and $auth2. Apart from that you can use the same -# server_condition setting for both authenticators. - -# login_server: -# driver = plaintext -# public_name = LOGIN -# server_prompts = "Username:: : Password::" -# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif -# -# cram_md5_server: -# driver = cram_md5 -# public_name = CRAM-MD5 -# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}} -# server_set_id = $auth1 - -# Here is an example of CRAM-MD5 authentication against PostgreSQL: -# -# psqldb_auth_server: -# driver = cram_md5 -# public_name = CRAM-MD5 -# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} -# server_set_id = $auth1 - -# Authenticate against local passwords using sasl2-bin -# Requires exim_uid to be a member of sasl group, see README.Debian.gz -# plain_saslauthd_server: -# driver = plaintext -# public_name = PLAIN -# server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} -# server_set_id = $auth2 -# server_prompts = : -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif -# -# login_saslauthd_server: -# driver = plaintext -# public_name = LOGIN -# server_prompts = "Username:: : Password::" -# # don't send system passwords over unencrypted connections -# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif -# -# ntlm_sasl_server: -# driver = cyrus_sasl -# public_name = NTLM -# server_realm = -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif -# -# digest_md5_sasl_server: -# driver = cyrus_sasl -# public_name = DIGEST-MD5 -# server_realm = -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -# Authentcate against cyrus-sasl -# This is mainly untested, please report any problems to -# pkg-exim4-users@lists.alioth.debian.org. -# cram_md5_sasl_server: -# driver = cyrus_sasl -# public_name = CRAM-MD5 -# server_realm = -# server_set_id = $auth1 -# -# plain_sasl_server: -# driver = cyrus_sasl -# public_name = PLAIN -# server_realm = -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif -# -# login_sasl_server: -# driver = cyrus_sasl -# public_name = LOGIN -# server_realm = -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -# Authenticate against courier authdaemon - -# This is now the (working!) example from -# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 -# Possible pitfall: access rights on /var/run/courier/authdaemon/socket. -# plain_courier_authdaemon: -# driver = plaintext -# public_name = PLAIN -# server_condition = \ -# ${extract {ADDRESS} \ -# {${readsocket{/var/run/courier/authdaemon/socket} \ -# {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \ -# {yes} \ -# fail} -# server_set_id = $auth2 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -# login_courier_authdaemon: -# driver = plaintext -# public_name = LOGIN -# server_prompts = Username:: : Password:: -# server_condition = \ -# ${extract {ADDRESS} \ -# {${readsocket{/var/run/courier/authdaemon/socket} \ -# {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \ -# {yes} \ -# fail} -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -# This one is a bad hack to support the broken version 4.xx of -# Microsoft Outlook Express which violates the RFCs by demanding -# "250-AUTH=" instead of "250-AUTH ". -# If your list of offered authenticators is other than PLAIN and LOGIN, -# you need to adapt the public_name line manually. -# It has to be the last authenticator to work and has not been tested -# well. Use at your own risk. -# See the thread entry point from -# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html -# for the related discussion on the exim-users mailing list. -# Thanks to Fred Viles for this great work. - -# support_broken_outlook_express_4_server: -# driver = plaintext -# public_name = "\r\n250-AUTH=PLAIN LOGIN" -# server_prompts = User Name : Password -# server_condition = no -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -############## -# See /usr/share/doc/exim4-base/README.Debian.gz -############## - -# These examples below are the equivalent for client side authentication. -# They get the passwords from CONFDIR/passwd.client, whose format is -# defined in exim4_passwd_client(5) - -# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we -# only allow these mechanisms over encrypted connections by default. -# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted -# clear text password authentication on all connections. - -cram_md5: - driver = cram_md5 - public_name = CRAM-MD5 - client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} - client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} - -# this returns the matching line from passwd.client and doubles all ^ -PASSWDLINE=${sg{\ - ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ - }\ - {\\N[\\^]\\N}\ - {^^}\ - } - -plain: - driver = plaintext - public_name = PLAIN -.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS - client_send = "<; ${if !eq{$tls_cipher}{}\ - {^${extract{1}{:}{PASSWDLINE}}\ - ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ - }fail}" -.else - client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\ - ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" -.endif - -login: - driver = plaintext - public_name = LOGIN -.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS - # Return empty string if not non-TLS AND looking up $host in passwd-file - # yields a non-empty string; fail otherwise. - client_send = "<; ${if and{\ - {!eq{$tls_cipher}{}}\ - {!eq{PASSWDLINE}{}}\ - }\ - {}fail}\ - ; ${extract{1}{::}{PASSWDLINE}}\ - ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" -.else - # Return empty string if looking up $host in passwd-file yields a - # non-empty string; fail otherwise. - client_send = "<; ${if !eq{PASSWDLINE}{}\ - {}fail}\ - ; ${extract{1}{::}{PASSWDLINE}}\ - ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" -.endif