[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

exim, auth, pam, solutions

Here are some solutions to the exim/auth/pam problem.

Mark Roach pegged it -- PAM wasn't working because we were (I was)
trying to use "pam_unix.so" but didn't have permission to read
/etc/shadow.

Here are some solutions to the problem :

1)  Make /etc/shadow readable by the 'mail' user.
    pros:   unifies shell/smtp passwords with no extra maintenance
    cons:   it widens the access to /etc/shadow

    notes:  the same effect can be achieved by storing passwords in
                /etc/passwd, but that has even wider permissions.

2)  Create a separate passwd file for exim.  Use 'libpam-pwdfile' and
    Vineet Kumar's PAM config :
        auth       required     pam_pwdfile.so pwdfile /etc/exim/auth.passwd
        account    required     pam_permit.so
    pros:   doesn't widen permissions on /etc/shadow
            allows SMTP to use different passwords from the shell, or
                to have SMTP users without shell access
    cons:   requires separate maintenance

    notes:  this file could just be a copy of /etc/shadow (but then
                why not use solution1?).  It could also be created
                from /etc/shadow with the shell/awk script below (that
                removes some users such as root).

3)  Use a different PAM module, such as pam_ldap.so.

    pros:   doesn't require any extra files or perms on /etc/shadow
            no extra scripts to maintain
            this can provide matching SMTP passwords for shell users
                (if you use pam_ldap for regular logins)
            the exim config is identical to solution1 and solution2
    cons:   requires LDAP

4)  Use a different authenticator in exim.  See the appendix for
    examples using LDAP and a passwd file without going through PAM.

    pros:   doesn't require PAM (I suppose that is a pro for someone)
            easy enough to test without setting up PAM correctly ;-)
    cons:   requires additional maintenance -- for example if you use
                LDAP for normal logins and for SMTP AUTH, and if you
                move the LDAP server (or something) you'll have 2
                places to update configs.



For the system at work I'll be using solution3 with pam_ldap.so
because we're moving all logins to using LDAP instead of a combination
of NIS and Windows NT.  (and currently not handling SMTP AUTH at all)

For my personal system, AUTH isn't necessary now, but I'll probably
use solution3 (or possibly solution4) if/when I need it.



Appendix :


Solution2 :  script to copy /etc/shadow without extra information.
    
    ~~~~
    #!/bin/sh

    awk -F: '
    /^(sash)?root:/ { next }
    /^[^:]*:.[^:]/ { print $1 ":" $2 }
    ' /etc/shadow > /etc/exim/auth.passwd.tmp

    mv /etc/exim/auth.passwd.tmp /etc/exim/auth.passwd 
    chown mail:mail /etc/exim/auth.passwd 
    chmod 0400 /etc/exim/auth.passwd 
    ~~~~


Solution4 :

    Use LDAP without PAM :
        
        plain:
            driver = plaintext
            public_name = PLAIN
        
            server_condition = ${if ldapauth \
                                {user="uid=${quote_ldap:$2},ou=People,o=Example"\
                                pass="$3" \
                                ldap://ldap.fqdn.example/} \
                                {yes} {no} }
            server_set_id = uid=$2,ou=People,o=Example
    
            # value for $authenticated_id
            server_set_id = $2



    Use a passwd file without PAM :

            plain:
                driver = plaintext
                public_name = PLAIN
                server_condition = "${if
                crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{/etc/exim/auth.passwd}{$value}{*:*}}}}}{1}{0}}"
                server_set_id = $2

            Sample script to convert /etc/shadow to the file used in
            the above authenticator.  This script handles both crypt
            and md5 passwords and removes root, sashroot, and users
            without a proper password (eg only 1 character in passwd
            field).

            ~~~~
            #!/bin/sh

            awk -F: '
            /^(sash)?root:/ { next }
            /^[^:]*:.[^:]/ { 
                if ( length($2) > 10 )
                    { print $1 ":{md5}" $2 }
                else { print $1 ":" $2 }
            }
            ' /etc/shadow > /etc/exim/auth.passwd.tmp

            mv /etc/exim/auth.passwd.tmp /etc/exim/auth.passwd 
            chown mail:mail /etc/exim/auth.passwd 
            chmod 0400 /etc/exim/auth.passwd 
            ~~~~


Here is an ACL (requires exim 4, from the spec) to only allow AUTH
over an encrypted channel or using the CRAM-MD5 method.  However,
CRAM-MD5 requires the passwords to be available to exim in unencrypted
form.  See spec.txt for info on creating a cram-md5 authenticator.


# in the global section
acl_smtp_auth = acl_check_auth

# in the acl section
acl_check_auth :
    accept encrypted = *
    accept condition = ${if eq { ${uc:$smtp_command_argument} } \
                               {CRAM-MD5}  {yes}{no} }
    deny   message   = TLS encryption or CRAM-MD5 required for AUTH


-D

-- 

In my Father's house are many rooms; if it were not so, I would have
told you.  I am going there to prepare a place for you.  And if I go and
prepare a place for you, I will come and take you to be with me that you
also may be where I am.
        John 14:2-3 
 
http://dman.ddts.net/~dman/

Attachment: pgpGrrhK65sbV.pgp
Description: PGP signature

Reply to: