Configuring Exim for SMTP AUTH using PAM
Software used
The following was written for exim4 on Debian Sarge, although the principles should apply to other Linux distributions. You must install exim4-daemon-heavy, which supports PAM, rather than exim4-daemon-light (which is installed by default). Testing was performed using Mozilla Thunderbird on an Ubuntu Dapper client.
Exim configuration
Exim can be configured from a single config file (/etc/exim4/exim4.conf.template), or a series of smaller files within a directory structure (/etc/exim4/conf.d/). Check for the following line in /etc/exim4/update-exim4.conf.conf:
dc_use_split_config='true'
If this line is present you are using the /etc/exim4/conf.d/ directory structure.
Enabling TLS
SMTP AUTH sends the username and password in base64 over the Internet, which means anyone could capture your password as it flies by. To prevent this you should encrypt your SMTP transaction with Transport Layer Security. Edit /etc/exim4/exim4.conf.template (or /etc/exim4/conf.d/main/03_exim4-config_tlsoptions) and find the following lines:
.ifdef MAIN_TLS_ENABLE # Defines what hosts to 'advertise' STARTTLS functionality to. The # default, *, will advertise to all hosts that connect with EHLO.
Enable TLS by inserting a line, so that it now reads:
MAIN_TLS_ENABLE=1 .ifdef MAIN_TLS_ENABLE # Defines what hosts to 'advertise' STARTTLS functionality to. The # default, *, will advertise to all hosts that connect with EHLO.
Configuring SMTP AUTH
If you are using multiple config files, create and edit a new file /etc/exim4/conf.d/auth/01_exim4-login. If you are using a single exim config file, open /etc/exim4/exim4.conf.template and edit the file after these lines:
###################################################################### # AUTHENTICATION CONFIGURATION # ###################################################################### begin authenticators
Insert the following lines:
login:
driver = plaintext
public_name = LOGIN
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
server_prompts = "Username:: : Password::"
server_condition = ${if pam{$1:$2}{1}{0}}
server_set_id = $1
This enables LOGIN authentication, but only for clients that are using a connection secured with TLS.
Reloading the Exim configuration
Confirm and reload the new Exim configuration:
odie:/etc/exim4# update-exim4.conf odie:/etc/exim4# /etc/init.d/exim4 reload Reloading exim4 configuration files odie:/etc/exim4#
PAM configuration
Build and install the pam_exim.so module
Download the pam_exim sources (http://www.e-admin.de/pam_exim/pam_exim.tgz), and the Linux-PAM sources (which match the version of PAM installed on your system) from http://kernel.org/pub/linux/libs/pam/pre/library/. Unpack the Linux-PAM sources, configure and make (but do not 'make install') them:
scuff@scuff:~/src$ tar xzf Linux-PAM-0.76.tar.gz scuff@scuff:~/src$ cd Linux-PAM-0.76 scuff@scuff:~/src/Linux-PAM-0.76$ ./configure && make
Unpack the pam_exim sources into the Linux-PAM source directory:
scuff@scuff:~/src/Linux-PAM-0.76$ tar xzf ../pam_exim.tgz
Edit the file modules/pam_exim/unix_chkpwd.c and change the following lines:
#define MINUID 500 #define EXIMUID 8 #define EXIMGID 12
… to suit your system. MINUID is the UID of the first non-system user, EXIMUID and EXIMGID are the UID and GID, respectively, of the Debian-exim user. On my Debian Sarge system, this gave the following result:
#define MINUID 1000 #define EXIMUID 102 #define EXIMGID 102
If you are running a 2.6.x kernel, you must also apply the following patch to modules/pam_exim/support.c:
--- modules/pam_exim/support.c.orig 2006-08-25 17:35:45.030888296 +0100 +++ modules/pam_exim/support.c 2006-08-25 17:36:08.729285592 +0100 @@ -406,6 +406,8 @@ {{{ return PAM_AUTH_ERR; }
+ try to fix SIG_IGN POSIX problem under RH9 + signal(SIGCHLD, SIG_DFL);
/* fork */ child = fork(); if (child == 0) { @@ -454,6 +456,7 @@ retval = PAM_AUTH_ERR; }
+ signal(SIGCHLD, SIG_IGN);
D(("returning %d", retval)); return retval; }
}}}
(Patch taken from http://www.e-admin.de/pam_exim/owen-patch.c, authored by Greg Owen)
Build the pam_exim module:
scuff@scuff:~/src/Linux-PAM-0.76$ cd modules/pam_exim/ scuff@scuff:~/src/Linux-PAM-0.76/modules/pam_exim$ make
Finally, copy the binaries to their final destinations. The exim_chkpwd binary must be setuid to work:
scuff@scuff:~/src/Linux-PAM-0.76/modules/pam_exim$ sudo sh Password: sh-3.1# chown root:root exim_chkpwd sh-3.1# chmod u=rxs exim_chkpwd sh-3.1# mv exim_chkpwd /sbin/ sh-3.1# chmod a-x pam_exim.so sh-3.1# mv pam_exim.so /lib/security/
Create the Exim PAM configuration
Create a file /etc/pam.d/exim which reads:
#%PAM-1.0 auth required pam_exim.so account required pam_permit.so
Testing
Configure your mail client to send email using an authenticated TLS connection, and give it a go!
Notes
Make sure your users have strong passwords otherwise you'll turn yourself in to a relay.
You can change the "server_prompts" setting so it says something different (e.g. server_prompts = "Your username:: : Your password::") but this will break programs such as Outlook Express as these expect the base64 result of the words "Username:" and "Password:".
Leave a Reply
You must be logged in to post a comment.