Hello Mihamina and others, Please note that LOGIN and PLAIN are not the better choice for security. It is really better to use SCRAM-SHA-*(-PLUS) which are supported by Exim.
Regards, Neustradamus ________________________________________ From: Mihamina RKTMB via Exim-users <[email protected]> Sent: Friday, October 20, 2023 14:08 To: [email protected] Subject: [exim] Server side PLAIN and LOGIN Auth against PAM Hi all, Running Archlinux, I installed exim 4.96.2. I want to implement server side PLAIN and LOGIN auth against PAM. In order to isolate issues, I make it without SSL for this 1rst step, I will add SSL after sucessfully setting it up in clear text. This is what I modified from the default configuration: primary_hostname = <the hostname> domainlist local_domains = @:<domain1>:<domain2> hostlist relay_from_hosts = localhost I changed the default daemon_smtp_ports to (because I dont use SSL, I dont use 465): daemon_smtp_ports = 25 : 587 The ACL section is the default one, strictly the same as https://github.com/Exim/exim/blob/b94ea1bd61485a97c2d0dc2cab4c4d86ffe82e89/src/src/configure.default#L390 The Authenticators section has been modified and this is the full content: begin authenticators PLAIN: driver = plaintext server_set_id = $auth2 server_prompts = : server_condition = ${if pam{$auth2:$auth3}{1}{0}}" server_advertise_condition = * # LOGIN authentication has traditional prompts and responses. There is no # authorization ID in this mechanism, so unlike PLAIN the username and # password are $auth1 and $auth2. Apart from that you can use the same # server_condition setting for both authenticators. LOGIN: driver = plaintext server_set_id = $auth1 server_prompts = "Username:: : Password::" server_condition = "${if pam{$auth1:$auth2}{1}{0}}" server_advertise_condition = * I also created a file named /etc/pam.d/exim (pam.d/ is traversable by all, exim is readable by all) with the content auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so The problem: When I try to send a message by submitting it to port 587 using the right credentials (Using Thunderbird), I get this in the logs: PLAIN authenticator failed for ... 435 Unable to authenticate at present (set_id=mihamina): 0" LOGIN authenticator failed for ... 535 Incorrect authentication data (set_id=mihamina) I think there is a problem with my "server_condition" in each authenticator, bu tI cannot figure out what is the problem Would you help, please? -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
