Re: exim tls/authentification/relaying
On Mon, 29 Jul 2002 17:58:12 -0400
"christophe barbé" <christophe.barbe.ml@online.fr> wrote:
> My first idea was authentification. It works but to be safe it clearly
> needs to be done on a TLS session.
>
> So I need to configure my exim to support TLS. My understanding is
> that if I do both server and client certificates verification, then I
> don't even need authentification.
> Unfortunately I am unsucessfull at configuring TLS.
>
> As someone an exim.conf example for me ?
>
I have exim setup to authenticate only over a secure channel, I don't
know about certificate certification though, it just plaintext password
authentication (using tls of course). The relevant parts of my exim.conf
are the following
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
<snip>
# Hosts that are allowed to relay as long as they authenticate over a
# secure Channel.
host_auth_accept_relay = *
auth_over_tls_hosts = *
tls_advertise_hosts = *
#auth_always_advertise = false
# TLS support
tls_certificate = /etc/exim/org.crt
tls_privatekey = /etc/exim/org.key
<snip>
######################################################################
# AUTH CONFIGURATION #
######################################################################
# We need to specify different methods for different mailreaders.
# First PLAIN, used by netscape messenger.
# Client sends AUTH PLAIN base64{<unknown>\0<username>\0<passwd>}
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2
# Client sends AUTH LOGIN, then expects server to prompt for username
# and passwd
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1
As you see I use PAM, in my /etc/pam.d/exim:
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
session required pam_unix.so
password sufficient pam_ldap.so
password required pam_unix.so obscure min=4 max=8 use_first_pass
Which uses ldap for authentication.
I assume you now about certificates... you need these of course to TLS.
grts TIm
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: