exim4でsmtpauth
http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
を参考にするとうまくいった。
/etc/exim4/exim4.conf.templateを編集する。
(2008/11/3注)
その後、実はちゃんと動いていないことが判明。TLSも含めて動くようにしました。
- exim4.conf の先頭にの方に、AUTHDAEMON_SOCKETとacl_smtp_authが無いといけない。
- /etc/exim4/conf.d/main/00_localmacrosという名前で、以下の内容を加える。
- TLS/SSLconfigureationのすぐ下に、「MAIN_TLS_ENABLE = true」を加える。
MAIN_TLS_ENABLE = true AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe AUTH_PLAINTEXT = true
------------
*** exim4.conf.template.orig 2006-07-29 12:17:17.911222000 +0900
--- exim4.conf.template.2 2006-07-29 18:44:57.911222000 +0900
***************
*** 1,6 ****
--- 1,8 ----
#####################################################
### main/01_exim4-config_listmacrosdefs
#####################################################
+ #for SMTP_AUTH in MD5
+ AUTHDAEMON_SOCKET=/var/run/courier/authdaemon/socket
+ acl_smtp_auth = acl_check_auth
######################################################################
# Runtime configuration file for Exim 4 (Debian Packaging) #
*************** CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] :
*************** begin acl
*** 400,405 ****
--- 401,409 ----
### acl/20_exim4-config_whitelist_local_deny
#################################
+ # For SMTP_AUTH MD5
+ acl_check_auth:
+ accept set acl_c0 = <$pid.$tod_epoch@$primary_hostname>
# This is used to determine whitelisted senders and hosts.
# It checks for CONFDIR/local_host_whitelist and
*************** begin authenticators
*** 1493,1524 ****
# advertise on unencrypted connections by default. You can set
# AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to advertise unencrypted clear text
# password based authenticators on all connections.
!
! plain_server:
! driver = plaintext
! public_name = PLAIN
! server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passw
d}{$value}{*:*}}}}}{1}{0}}"
! server_set_id = $2
! server_prompts = :
! .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
! server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
! .endif
!
! login_server:
! driver = plaintext
! public_name = LOGIN
! server_prompts = "Username:: : Password::"
! server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/passw
d}{$value}{*:*}}}}}{1}{0}}"
! server_set_id = $1
! .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
! server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
! .endif
!
! cram_md5_server:
! driver = cram_md5
! public_name = CRAM-MD5
! server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}}
! server_set_id = $1
# Here is an example of CRAM-MD5 authentication against PostgreSQL:
#
--- 1499,1530 ----
# advertise on unencrypted connections by default. You can set
# AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to advertise unencrypted clear text
# password based authenticators on all connections.
! #
! #plain_server:
! # driver = plaintext
! # public_name = PLAIN
! # server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/pass
wd}{$value}{*:*}}}}}{1}{0}}"
! # server_set_id = $2
! # server_prompts = :
! # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
! # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
! # .endif
!
! #login_server:
! # driver = plaintext
! # public_name = LOGIN
! # server_prompts = "Username:: : Password::"
! # server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/pass
wd}{$value}{*:*}}}}}{1}{0}}"
! # server_set_id = $1
! # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
! # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
! # .endif
! #
! #cram_md5_server:
! # driver = cram_md5
! # public_name = CRAM-MD5
! # server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}}
! # server_set_id = $1
# Here is an example of CRAM-MD5 authentication against PostgreSQL:
#
*************** cram_md5_server:
*** 1664,1701 ****
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
# clear text password authentication on all connections.
! cram_md5:
! driver = cram_md5
! public_name = CRAM-MD5
! client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fa
il}}}
! client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}
fail}}}
plain:
driver = plaintext
public_name = PLAIN
! .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
! client_send = "${if !eq{$tls_cipher}{}{\
! ^${extract{1}{::}\
! {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
! ^${extract{2}{::}\
! {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
! }fail}"
! .else
! client_send = "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value
}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
! .endif
! login:
driver = plaintext
! public_name = LOGIN
! .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
! client_send = "${if !eq{$tls_cipher}{}{}fail}\
! : ${extract{1}{::}\
! {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \
! : ${extract{2}{::}\
! {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
! .else
! client_send = ": ${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$valu
e}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
"
! .endif
#####################################################
### end auth/30_exim4-config_examples
#####################################################
--- 1670,1708 ----
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
# clear text password authentication on all connections.
! # LOGIN authenticator
+ login:
+ driver = plaintext
+ public_name = LOGIN
+ server_prompts = Username:: : Password::
+ server_condition = ${extract {address} {${readsocket{AUTHDAEMON_SOCKET} \
+ {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n} }} {yes} fail}
+ server_set_id = $1
+
+ # PLAIN authenticator
plain:
driver = plaintext
public_name = PLAIN
! server_prompts = :
! server_condition = ${extract {address} {${readsocket{AUTHDAEMON_SOCKET} \
! {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n} }} {yes} fail}
! server_set_id = $2
! cram_md5:
driver = plaintext
! public_name = CRAM-MD5
! server_prompts = $acl_c0
! server_set_id = ${sg {${extract {1}{ }{$1} }} {[^a-zA-Z0-9.-_]} {?}}
! server_condition = ${if eq \
! {${extract {address} \
! {${readsocket{AUTHDAEMON_SOCKET} \
! {AUTH ${strlen:exim\ncram-md5\n${str2b64:$acl_c0}\n${str2b64:$1}\n}\nexim\ncram-
md5\n${str2b64:$acl_c0}\n${str2b64:$1}\n} \
! }} \
! {$value} fail}} \
! {${extract {1}{ }{$1} }} \
! {yes}}
!
#####################################################
### end auth/30_exim4-config_examples
#####################################################修正後 /etc/exim4/update-exim4.conf.confをチェックして
- update-exim4.conf -v ; /etc/init.d/exim4 restart
を実行して設定ファイルを作成する。また、パスワードについては、
- userdbpw -hmac-md5 | userdb users/XXX set hmac-md5pw
で設定済みのはずです。ただし、MD5では無い場合をテストに使ったので、その場合、authdaemonはeximpwかsystempwを見に行きます。そこで、eximpwも設定しておきます。
- userdbpw | userdb users/XXX set eximpw
- /etc/init.d/authdaemon restart; /etc/init.d/exim4 restart
で再起動します。
*確認方法 (2008/11/3追加)
elnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 arches ESMTP Exim 4.50 Mon, 03 Nov 2008 22:08:19 +0900 EHLO localhost 250-XXXXX Hello localhost [127.0.0.1] 250-SIZE 52428800 250-PIPELINING 250-AUTH LOGIN PLAIN CRAM-MD5 250-STARTTLS 250 HELP AUTH PLAIN XXXXXXXXXXXXXXXXXXXXX== 235 Authentication succeeded QUIT
の様に試すことができる。/var/log/exim4/mainlogも参照のこと。
「250-AUTH LOGIN PLAIN CRAM-MD5」が出れば、SMTP AUTHが使えるようになっており、「250-STARTTLS」があれば、TLSが使えるようになっている。
AUTH PLAIN の後に続くXXXXXXXXXXXXX==は、
perl -MMIME::Base64 -e 'print encode_base64("user名\0user名\0パスワード");'で表示される文字列。
Authenticationに失敗する場合は、/etc/courier/authdaemonrc の最初に DEBUG_LOGIN=1の行を追加して、/etc/init.d/authdaemon restartし、tail -f /var/log/syslog で、様子を見る。
