from here

I tried several times to get SMTP authentication working for use in a modern environment with much wailing and gnashing of teeth. For starters, I don’t want to have to authenticate every client on my LAN. Clients coming from my home subnet should be trusted by IP and should not have to authenticate. Secondly, I want to be able to relay mail from any client if that client authenticates via TLS from anywhere on the internet. Hopefully this will save other people some time and sanity.

(Some of this tutorial is stolen from this previous article and this was originally set up on Lenny.)

I have my Exim config split into small files(dc_use_split_config in /etc/exim4/update-exim4.conf.conf) so this might be a little different if you’ve set yours up in one monolithic file. Also, make sure that Exim is already relaying properly from your local subnet. Ok, here we go. Generate an SSL certificate for Exim:

# /usr/share/doc/exim4-base/examples/exim-gencert<br /></pre> <p>Next, edit <tt>/etc/exim4/conf.d/auth/30_exim4-config_examples</tt> and uncomment:</p> <pre># plain_server:<br />#   driver = plaintext<br />#   public_name = PLAIN<br />#   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON# /usr/share/doc/exim4-base/examples/exim-gencert

Next, edit /etc/exim4/conf.d/auth/30_exim4-config_examples and uncomment:

# plain_server:
# driver = plaintext
# public_name = PLAIN
# server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$
# server_set_id = $2
# server_prompts = :
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
# .endif

That will enable the server to authenticate clients – Don’t be frightened by the word ‘plaintext’ there. We’ll be doing all authentication over TLS. Now add this to the bottom of /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:

MAIN_TLS_ENABLE = true

Setup the users and passwords using /usr/share/doc/exim4/examples/exim-adduser. Make sure you fix permissions on /etc/exim4/passwd so that your secret stuff can’t be seen by everyone!

# chown root:Debian-exim /etc/exim4/passwd
# chmod 640 /etc/exim4/passwd

OK, now you’re all set. Oh wait… no. That sucks because all the clients on the LAN have to authenticate now. Let’s fix that. Create a this file: /etc/exim4/conf.d/main/20_local_auth_advertise_hosts like this:

auth_advertise_hosts = ! 192.168.0.0/24
hostlist host_auth_accept_relay = *

where 192.168.0.0/24 is your local subnet. This will ensure that the clients on your local LAN don’t have to authenticate but everybody else does! As usual, update and restart:

# update-exim4.conf
# /etc/init.d/exim4 restart
lt;br /># server_set_id = $2<br /># server_prompts = :<br /># .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS<br /># server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}<br /># .endif<br /></pre> <p>That will enable the server to authenticate clients - Don't be frightened by the word 'plaintext' there. We'll be doing all authentication over TLS. Now add this to the bottom of <tt>/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs</tt>:</p> <pre>MAIN_TLS_ENABLE = true<br /></pre> <p>Setup the users and passwords using <tt>/usr/share/doc/exim4/examples/exim-adduser</tt>. Make sure you fix permissions on <tt>/etc/exim4/passwd</tt> so that your secret stuff can't be seen by everyone!</p> <pre># chown root:Debian-exim /etc/exim4/passwd<br /># chmod 640 /etc/exim4/passwd<br /></pre> <p>OK, now you're all set. Oh wait... no. That sucks because all the clients on the LAN have to authenticate now. Let's fix that. Create a this file: <tt>/etc/exim4/conf.d/main/20_local_auth_advertise_hosts</tt> like this:</p> <pre>auth_advertise_hosts = ! 192.168.0.0/24<br />hostlist host_auth_accept_relay = *<br /></pre> <p>where 192.168.0.0/24 is your local subnet. This will ensure that the clients on your local LAN don't have to authenticate but everybody else does! As usual, update and restart:</p> <pre># update-exim4.conf<br /># /etc/init.d/exim4 restart<br />

Thanks to all the fine tutorial writers who have made this “cut-and-paste from other sources” possible.

Share/Save/Bookmarka2a_linkname=”Exim4 SMTP Auth for the Real World”;a2a_linkurl=”http://www.debian-administration.org/articles/631&#8243;;

Posted by Anonymous (195.24.xx.xx) on Mon 16 Mar 2009 at 12:51
I’ve lost count of how many people have told me over the years that Exim is better than sendmail because it’s easy to configure. If you wanted to achieve this with sendmail, you enable SMTP AUTH like so:-

define(`confAUTH_OPTIONS’, `A p’)dnl
TRUST_AUTH_MECH(`LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN’)dnl

And then you except the local subnet lie this:-

FEATURE(`access_db’, `hash -T<TMPF> /etc/mail/access’)dnl

and in the access file:-

localhost RELAY
127.0.0.1 RELAY
192.168.1 RELAY

That’s a whole 7 lines of config options, and to me they’re a lot more readable than the Exim ones listed here….

Advertisements