Thursday 1 November 2007

SMTP AUTH using exim and PAM

I want to use SMTP AUTH to enable road warriors to send though the office mail server - but I don't want yet another set of user names and passwords - so what I need is to use PAM to plug in to the existing Linux authentication mechanism.

This can actually be done quite easily with exim4 (the MTA that we use)

First of all, you'll want to be running the daemon-heavy debian version of exim with split up configuration files.

Then, in /etc/exim4/conf.d/auth add a local config file with:

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1

You could rename these auth drivers if needed if they conflict with existing ones - or probably comment out the existing ones.

In /etc/exim4/conf.d/main set

MAIN_TLS_ENABLE = true

in a local config files (before the 03 TLS one) and

auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}

to only allow AUTH if TLS is running.

Then in /etc/pam.d create a config file for exim.

I have simply:

#
# The PAM config file for exim SMTP
#

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-password
@include common-session

To make it match everything else on the host but you could tailor.

You'll need a set of certificates for the TLS communication. Self signed ones can be produces by /usr/share/doc/exim4-base/examples/exim-gencert

The final step is to make Debian-exim a member of the shadow group so that it can read the shadow passwords and actually do the authentication.


One further change I do is to prevent authenticated mails from being scanned by spamassassin.

In the rcpt acl I add


  # Prevent auth users from being scanned by Spamassassin
  warn     authenticated = *
           set acl_m0    = do-not-scan




Then in /etc/exim4/sa-exim.conf

SAEximRunCond: ${if and {{def:sender_host_address} {!match {$sender_host_address}{\N^(192\.168\.*)|(127\.0\.0\.1)$\N}} {!eq{$acl_m0}{do-not-scan}} } {1}{0}}

Which means that spamassassin won't be called for mail originating on the local network or with the acl_m0 header set to do-not-scan
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)