Exim4 supports TLS for verifying the authenticity of host and client, encryption of the whole SMTP transaction, and a variety of user authentication schemes. The two most common scenarios, using authentication on the server to allow users to initiate a session from a remote network with TLS as the transport and authenticating with a smarthost over TLS are discussed. Many, many other possibilities exist.
While not strictly necessary for authentication, I consider using TLS a prerequisite for enabling the usage of authentication tokens, the classic user login and password in this instance. Thus, let's configure TLS support for Exim4 first, then configure an authentication scheme.
To enable TLS, we will need a X.509 certification. If you already have a paid for certificate, simply copy the appropriate files to /etc/exim4/exim.crt and /etc/exim4/exim.key respectively. Otherwise, let's make a pair now. The hostname ought to match your mail hosts fully qualified hostname, but may not. It's only fatal if you bail on a certification verification failure, which is not the default.
# bash /usr/share/doc/exim4-base/examples/exim-gencert |
Next, let Exim4 know about your new certificate. Define MAIN_TLS_ENABLE to a true value somewhere in /etc/exim4/exim4.conf.template.
MAIN_TLS_ENABLE = yes |
To verify TLS has been successfully configured, let's install an excellent diagnostic tool named swaks. With swaks, you can interrogate your mail server in ways you never imagined!
# apt-get install swaks libnet-ssleay-perl |
It's easy to verify whether TLS is working or not.
$ swaks -a -tls -q HELO -s localhost -au jasonb -ap '<>' === Trying localhost:25... === Connected to localhost. <- 220 evie ESMTP Exim 4.50 Tue, 02 May 2006 17:56:25 -0400 -> EHLO evie <- 250-evie Hello localhost [127.0.0.1] <- 250-SIZE 52428800 <- 250-PIPELINING <- 250-STARTTLS <- 250 HELP -> STARTTLS <- 220 TLS go ahead === TLS started w/ cipher DHE-RSA-AES256-SHA ~> EHLO evie <~ 250-evie Hello localhost [127.0.0.1] <~ 250-SIZE 52428800 <~ 250-PIPELINING <~ 250 HELP ~> QUIT <~ 221 evie closing connection |
Above, we connect to our Exim4 daemon locally, start an authentication session, and force TLS. A username and an empty password are supplied to avoid any command line prompts from swaks. The result, above, shows initiating TLS succeeded. Next, we'll add support for an authentication scheme.
With Exim4 you can use a variety of authentication schemes and token backing stores. For a few users with shell access, and thus an entry in /etc/passwd, the easiest to configure is SASL. Once installed, it will use PAM to handle password authentication.
# apt-get install sasl2-bin |
To allow the saslauthd daemon to run at start, we need to edit /etc/default/saslauthd and uncomment START.
# perl -i -pe 's!^#(START=yes)!$1!' /etc/default/saslauthd |
The Perl command above quickly removes the leading comment, allowing START to be defined and sourced in /etc/init.d/saslauthd. Now, let's start the daemon.
# invoke-rc.d saslauthd start |
With SASL's daemon running, now we can uncomment the configuration stanza in /etc/exim4/exim4.conf.template listed below that enables support for authentication via saslauthd using the PLAIN authentication scheme. Not all clients necessarily support LOGIN, though you may wish to uncomment LOGIN, too. Most mail clients consider authentication schemes in the order they're presented to the client.
# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_set_id = $2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
|
As indicated above, once you've uncommented the plain_saslauthd_server, it's necessary to add the user that Exim4 runs as to the sasl group so it can speak with saslauthd.
# adduser Debian-exim sasl Adding user `Debian-exim' to group `sasl'... Done. |
Finally, restart Exim4.
# invoke-rc.d exim4 restart |
Let's test our new server configuration again with swaks, actually performing authentication by specifying a valid username and password before closing the connection after successful authentication.
evie:/etc/exim4# swaks -a -tls -q AUTH -s localhost -au jasonb Password: passwd === Trying localhost:25... === Connected to localhost. <- 220 evie ESMTP Exim 4.50 Fri, 05 May 2006 18:10:18 -0400 -> EHLO evie <- 250-evie Hello localhost [127.0.0.1] <- 250-SIZE 52428800 <- 250-PIPELINING <- 250-STARTTLS <- 250 HELP -> STARTTLS <- 220 TLS go ahead === TLS started w/ cipher DHE-RSA-AES256-SHA ~> EHLO evie <~ 250-evie Hello localhost [127.0.0.1] <~ 250-SIZE 52428800 <~ 250-PIPELINING <~ 250-AUTH PLAIN <~ 250 HELP ~> AUTH PLAIN AGphc28uygBOaGVxMHc= <~ 235 Authentication succeeded ~> QUIT <~ 221 evie closing connection |
If everything has been configured correctly, as demonstrated above with swaks, we notice AUTH PLAIN is available and selected. Further, the password prompted for on the command line is used to successfully authenticate with Exim4. Now relaying will be permitted for any user after successful authentication and the exchange will take place over TLS.
Configuring Exim4 to authenticate itself using SMTP authentication is quite easy. You merely need to populate /etc/exim4/passwd.client with a hostname, username, password triplet. The password is specified in plain text, so ensure the file is not world readable.
### CONFDIR/passwd.client # # Format: #targetmailserver.example:login:password # # default entry: ### *:bar:foo example.com:jasonb:passwd |
As indicated above, example.com is the hostname of the SMTP server we wish to authenticate with over TLS using either the LOGIN, PLAIN, or CRAM-MD5 authentication. The username and password follow, all separated by colons.
By default on Debian GNU/Linux Sarge, Exim4 will disallow SMTP-AUTH via either LOGIN or PLAIN if TLS has not been successfully negotiated. You can disable this behavior by setting AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS in /etc/exim4/exim4.conf.template, but don't do that.
Sending a test message and looking in /var/log/exim4/mainlog should indicate successful authentication and sending of the message.
# echo "test" | mail -s "test" jasonb@edseek.com # tail -f /var/log/exim4/mainlog 2006-05-05 18:45:56 1Fc93b-0003e4-QG <= root@nebula.internal.foo U=root P=local S=313 2006-05-05 18:45:57 1Fc93b-0003e4-QG => jasonb@edseek.com R=smarthost T=remote_smtp_smarthost H=example.com [207.36.208.156] X=TLS-1.0:RSA_AES_256_CBC_SHA:32 2006-05-05 18:45:57 1Fc93b-0003e4-QG Completed ... |