Here are some solutions to the exim/auth/pam problem. Mark Roach pegged it -- PAM wasn't working because we were (I was) trying to use "pam_unix.so" but didn't have permission to read /etc/shadow.
Here are some solutions to the problem :
1) Make /etc/shadow readable by the 'mail' user.
pros: unifies shell/smtp passwords with no extra maintenance
cons: it widens the access to /etc/shadow
notes: the same effect can be achieved by storing passwords in
/etc/passwd, but that has even wider permissions.
2) Create a separate passwd file for exim. Use 'libpam-pwdfile' and
Vineet Kumar's PAM config :
auth required pam_pwdfile.so pwdfile /etc/exim/auth.passwd
account required pam_permit.so
pros: doesn't widen permissions on /etc/shadow
allows SMTP to use different passwords from the shell, or
to have SMTP users without shell access
cons: requires separate maintenance
notes: this file could just be a copy of /etc/shadow (but then
why not use solution1?). It could also be created
from /etc/shadow with the shell/awk script below (that
removes some users such as root).
3) Use a different PAM module, such as pam_ldap.so.
pros: doesn't require any extra files or perms on /etc/shadow
no extra scripts to maintain
this can provide matching SMTP passwords for shell users
(if you use pam_ldap for regular logins)
the exim config is identical to solution1 and solution2
cons: requires LDAP
4) Use a different authenticator in exim. See the appendix for
examples using LDAP and a passwd file without going through PAM.
pros: doesn't require PAM (I suppose that is a pro for someone)
easy enough to test without setting up PAM correctly ;-)
cons: requires additional maintenance -- for example if you use
LDAP for normal logins and for SMTP AUTH, and if you
move the LDAP server (or something) you'll have 2
places to update configs.
For the system at work I'll be using solution3 with pam_ldap.so
because we're moving all logins to using LDAP instead of a combination
of NIS and Windows NT. (and currently not handling SMTP AUTH at all)
For my personal system, AUTH isn't necessary now, but I'll probably
use solution3 (or possibly solution4) if/when I need it.
Appendix :
Solution2 : script to copy /etc/shadow without extra information.
~~~~
#!/bin/sh
awk -F: '
/^(sash)?root:/ { next }
/^[^:]*:.[^:]/ { print $1 ":" $2 }
' /etc/shadow > /etc/exim/auth.passwd.tmp
mv /etc/exim/auth.passwd.tmp /etc/exim/auth.passwd
chown mail:mail /etc/exim/auth.passwd
chmod 0400 /etc/exim/auth.passwd
~~~~
Solution4 :
Use LDAP without PAM :
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if ldapauth \
{user="uid=${quote_ldap:$2},ou=People,o=Example"\
pass="$3" \
ldap://ldap.fqdn.example/} \
{yes} {no} }
server_set_id = uid=$2,ou=People,o=Example
# value for $authenticated_id
server_set_id = $2
Use a passwd file without PAM :
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if
crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{/etc/exim/auth.passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $2
Sample script to convert /etc/shadow to the file used in
the above authenticator. This script handles both crypt
and md5 passwords and removes root, sashroot, and users
without a proper password (eg only 1 character in passwd
field).
~~~~
#!/bin/sh
awk -F: '
/^(sash)?root:/ { next }
/^[^:]*:.[^:]/ {
if ( length($2) > 10 )
{ print $1 ":{md5}" $2 }
else { print $1 ":" $2 }
}
' /etc/shadow > /etc/exim/auth.passwd.tmp
mv /etc/exim/auth.passwd.tmp /etc/exim/auth.passwd
chown mail:mail /etc/exim/auth.passwd
chmod 0400 /etc/exim/auth.passwd
~~~~
Here is an ACL (requires exim 4, from the spec) to only allow AUTH
over an encrypted channel or using the CRAM-MD5 method. However,
CRAM-MD5 requires the passwords to be available to exim in unencrypted
form. See spec.txt for info on creating a cram-md5 authenticator.
# in the global section
acl_smtp_auth = acl_check_auth
# in the acl section
acl_check_auth :
accept encrypted = *
accept condition = ${if eq { ${uc:$smtp_command_argument} } \
{CRAM-MD5} {yes}{no} }
deny message = TLS encryption or CRAM-MD5 required for AUTH
-D
--
In my Father's house are many rooms; if it were not so, I would have
told you. I am going there to prepare a place for you. And if I go and
prepare a place for you, I will come and take you to be with me that you
also may be where I am.
John 14:2-3
http://dman.ddts.net/~dman/
pgpdfQ2McF0Xz.pgp
Description: PGP signature
