I tried several times to get SMTP authentication working for use in a modern environment with much wailing and gnashing of teeth. For starters, I don’t want to have to authenticate every client on my LAN. Clients coming from my home subnet should be trusted by IP and should not have to authenticate. Secondly, I want to be able to relay mail from any client if that client authenticates via TLS from anywhere on the internet. Hopefully this will save other people some time and sanity.

(Some of this tutorial is stolen from this previous article and this was originally set up on Lenny.)

I have my Exim config split into small files(dc_use_split_config in /etc/exim4/update-exim4.conf.conf) so this might be a little different if you’ve set yours up in one monolithic file. Also, make sure that Exim is already relaying properly from your local subnet. Ok, here we go. Generate an SSL certificate for Exim:

# /usr/share/doc/exim4-base/examples/exim-gencert<br /></pre> <p>Next, edit <tt>/etc/exim4/conf.d/auth/30_exim4-config_examples</tt> and uncomment:</p> <pre># plain_server:<br />#   driver = plaintext<br />#   public_name = PLAIN<br />#   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON# /usr/share/doc/exim4-base/examples/exim-gencert

Next, edit /etc/exim4/conf.d/auth/30_exim4-config_examples and uncomment:

# plain_server:
# driver = plaintext
# public_name = PLAIN
# server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$
# server_set_id = $2
# server_prompts = :
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
# .endif

That will enable the server to authenticate clients – Don’t be frightened by the word ‘plaintext’ there. We’ll be doing all authentication over TLS. Now add this to the bottom of /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:

MAIN_TLS_ENABLE = true

Setup the users and passwords using /usr/share/doc/exim4/examples/exim-adduser. Make sure you fix permissions on /etc/exim4/passwd so that your secret stuff can’t be seen by everyone!

# chown root:Debian-exim /etc/exim4/passwd
# chmod 640 /etc/exim4/passwd

OK, now you’re all set. Oh wait… no. That sucks because all the clients on the LAN have to authenticate now. Let’s fix that. Create a this file: /etc/exim4/conf.d/main/20_local_auth_advertise_hosts like this:

auth_advertise_hosts = ! 192.168.0.0/24
hostlist host_auth_accept_relay = *

where 192.168.0.0/24 is your local subnet. This will ensure that the clients on your local LAN don’t have to authenticate but everybody else does! As usual, update and restart:

# update-exim4.conf
# /etc/init.d/exim4 restart
lt;br /># server_set_id = $2<br /># server_prompts = :<br /># .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS<br /># server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}<br /># .endif<br /></pre> <p>That will enable the server to authenticate clients - Don't be frightened by the word 'plaintext' there. We'll be doing all authentication over TLS. Now add this to the bottom of <tt>/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs</tt>:</p> <pre>MAIN_TLS_ENABLE = true<br /></pre> <p>Setup the users and passwords using <tt>/usr/share/doc/exim4/examples/exim-adduser</tt>. Make sure you fix permissions on <tt>/etc/exim4/passwd</tt> so that your secret stuff can't be seen by everyone!</p> <pre># chown root:Debian-exim /etc/exim4/passwd<br /># chmod 640 /etc/exim4/passwd<br /></pre> <p>OK, now you're all set. Oh wait... no. That sucks because all the clients on the LAN have to authenticate now. Let's fix that. Create a this file: <tt>/etc/exim4/conf.d/main/20_local_auth_advertise_hosts</tt> like this:</p> <pre>auth_advertise_hosts = ! 192.168.0.0/24<br />hostlist host_auth_accept_relay = *<br /></pre> <p>where 192.168.0.0/24 is your local subnet. This will ensure that the clients on your local LAN don't have to authenticate but everybody else does! As usual, update and restart:</p> <pre># update-exim4.conf<br /># /etc/init.d/exim4 restart<br />

Thanks to all the fine tutorial writers who have made this “cut-and-paste from other sources” possible.

from here

Advertisements