Hi all.
I've had a REALLY troublesome time setting up smtp auth. I have cyrus
imap, with saslauthd, on the same host as exim. All appeared to be
working individually -- but the problem was trying to get them to work
together.
The problem was with the authenticator (and me not knowing what I was doing)
> cat exim.conf
begin authenticators
sasl_plain:
driver = plaintext
public_name = PLAIN
server_set_id = $auth1
server_condition = ${if
saslauthd{{${local_part:$auth1}}{$auth2}{}{${domain:$auth1}}}{1}{0}}
#server_mech = SASLDB
Some of you will, no doubt, immediately spot the error. It has taken
me days to sort it!
Questions:
- I tried both driver = cyrus_sasl and driver=plaintext.
I am unsure of the specific differences, pro's and con's of each.
Can anyone explain?
- My exim.conf fike includes the acl below. Whilst I get the log line,
I am not getting the variable values.
Is what I am attempting possible? If so, what variables can I log?
Having this function working would have revealed my problem from the
start! :-)
> cat acl.conf
acl_auth:
warn
log_message = X-Log: ACL_AUTH -- $auth1 ${local_part:$auth1}
{$auth2} {} {${domain:$auth1}}
Whilst NOT the solution, I finally discovered the problem by turn my
server into an open relay, using the line (note: no quotes!)
- saslauthd takes 4 parameters: {<user>}{<password>}{<service>}{<realm>}
server_condition = ${if saslauthd{ {whitepj} {password} {} {} } {1} {0} }
Many thanks.
---
all what follows is part of my installation test process. I've left it
in because I find that while the search engines often produce results
that help configurations in part, many times the posts don't actually
explain how to help identify the problem if something doesn't work as
expected.
---
saslauthd working (the first is my basic test, the second is my
desired goal -- hence the server_condition within the exim
authenticator):
> saslauthd -a sasldb -V -n 0
> testsaslauthd -u whitepj -p password
0: OK "Success."
> testsaslauthd -u whitepj -r mydomain.co.uk -p password
0: OK "Success."
> tail /var/log/auth.log
Apr 16 11:42:07 server saslauthd[470]: : forked child: 9621
Apr 16 11:42:07 server saslauthd[9621]: : auth
success: [user=whitepj] [service=imap] [realm=] [mech=sasldb]
Apr 16 11:42:07 server saslauthd[9621]: : response: OK
Apr 16 11:42:07 server saslauthd[9621]: : child exited: 9621
Apr 16 11:42:07 server saslauthd[470]: : child exited: 9621
exim router and transport working (port 25 test here for simplicity,
but also works on 465 and 587)
> swaks --server 192.168.123.254:25 --to whit...@mydomain.co.uk
250 OK id=1u50il-000000002KZ-3x1b
cyrus imap login working. I can login via IMAP client and read messages.
However, I cannot send messages via smtp when using AUTH:
> swaks --server 192.168.123.254:465 --tls-on-connect --to
> whit...@mydomain.co.uk \
> --auth-user whitepj --auth-password password --auth PLAIN
535 Incorrect authentication data
No authentication type succeeded
> tail /var/log/exim_reject.log
2025-04-16 11:31:58.804 [9100] sasl_plain authenticator (PLAIN): Cyrus
SASL permanent failure: generic failure
2025-04-16 11:31:58.805 [9100] sasl_plain authenticator failed for
(server) [192.168.123.253]:36386 I=[192.168.123.254]:465 Ci=9100: 535
Incorrect authentication data (set_id=whitepj)
Because I'm testing exim with the -d flag set, I get this information:
9100 SMTP<< AUTH PLAIN AHdoaXRlcGoAQmlhbmNvMms=
9100 using ACL "acl_auth"
9100 processing "warn" (/etc/exim/ACL/acl_smtp_auth 15)
9100 l_message: X-Log: ACL - Running acl_auth.
9100 warn: condition test succeeded in ACL "acl_auth"
9100 LOG: MAIN
9100 H=(server) [192.168.123.253]:36386 I=[192.168.123.254]:465
Ci=9100 Warning: X-Log: ACL - Running acl_auth.
9100 processing "accept" (/etc/exim/ACL/acl_smtp_auth 20)
9100 check hosts = 192.168.123.0/16
9100 host in "192.168.123.0/16"?
9100 list element: 192.168.123.0/16
9100 host in "192.168.123.0/16"? yes (matched "192.168.123.0/16")
9100 accept: condition test succeeded in ACL "acl_auth"
9100 end of ACL "acl_auth": ACCEPT
9100 Initialised Cyrus SASL server connection; service="smtp"
fqdn="domain.co.uk" realm="NULL"
9100 Cyrus SASL set EXTERNAL SSF to 256
9100 Cyrus SASL set local hostport to: 192.168.123.254;465
9100 Cyrus SASL set peer hostport to: 192.168.123.253;36386
9100 Calling sasl_server_start(PLAIN,"AHdoaXRlcGoAQmlhbmNvMms=")
9100 Cyrus SASL permanent failure -1 (generic failure)
9100 LOG: REJECT
9100 sasl_plain authenticator (PLAIN): Cyrus SASL permanent
failure: generic failure
9100 SMTP>> 535 Incorrect authentication data
Nothing is written to /var/log/auth.log on this attempt. I do NOT get
an 'auth failure' message.
My exim.conf file is split into multiple (separate) sections --
"chained" together with .include directives -- so the following
snippets are all part of the exim configuration. The X-Log entries are
useful when I want to see values of any exim variables Suggestions
welcome!
> cat acl.conf
acl_auth:
warn
log_message = X-Log: ACL_AUTH.
accept
acl_mailauth:
warn
log_message = X-Log: ACL_MAILAUTH.
accept
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
