Exim and authenticated relaying via TLS/SSL + LDAP

This information can be obtained by understanding and reading the exim docs, but some people are impatient, so here is my way how I allow my users to relay mails through my server via a secure connection and authentication. The cool part is that non-RFC-behaving Outlook + Outlook Express is also supported with these configuration directives.

In your authenticators section (usually at the very bottom of the exim-configuration file) add this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
begin authenticators

plain_ldapauth:
 driver = plaintext
 public_name = PLAIN
 server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
 server_condition = ${if ldapauth \
   {user="uid=${quote_ldap_dn:$2},ou=yourOU,dc=yourdomain,dc=yourtld" \
   pass=${quote:$3} \
   ldaps:///}{yes}{no}}
 server_set_id = $2
 server_prompts = :

login:
 driver = plaintext
 public_name = LOGIN
 server_prompts = Username:: : Password::
 server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
 server_condition = ${if ldapauth \
   {user="uid=${quote_ldap_dn:$auth1},ou=yourOU,dc=yourdomain,dc=yourtld" \
   pass=${quote:$auth2} \
   ldaps:///}{yes}{no}}
 server_set_id = $auth1

bogus:
 driver        = plaintext
 public_name   = "\r\n250-AUTH=PLAIN LOGIN"
 server_prompts = :
 server_condition = no
 server_advertise_condition = ${if def:tls_cipher}

The login-authenticator adds Outlook Express Support, and the last authenticator breaks RFC-compliancy but is needed for older (and dumber) versions of Outlook Express.

This assumes that you know how LDAP works, have an ssl-enabled ldap-server and that your LDAP and SSL setup looks something like this in the main section of exim.conf:

1
2
3
4
5
6
7
8
9
10
ldap_default_servers = ldapserver1.yourdomain::636:ldapserver2.yourdomain::636

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
hostlist auth_over_tls_hosts = *
log_selector = +tls_cipher +tls_peerdn
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.crt
tls_privatekey = /etc/exim4/exim.key
tls_on_connect_ports = 465
local_interfaces = 0.0.0.0 : 0.0.0.0.465

This assumes you also have a valid ssl-key and a valid ssl-certificate in /etc/exim4/ (can also be self-signed).

And finally you have to edit your ACL(s) to let the mail through - find a "good" place (good means rather on the top of your ACL's before you deny things) in your ACL and add accept authenticated = * - this is a part of my example-ACL:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
acl_check_rcpt:

  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  # testing for an empty sending host field.

  accept  hosts = :
  
  # Deny if the local part contains @ or % or / or | or !. These are rarely
  # found in genuine local parts, but are often tried by people looking to
  # circumvent relaying restrictions.

  # Also deny if the local part starts with a dot. Empty components aren't
  # strictly legal in RFC 2822, but Exim allows them because this is common.
  # However, actually starting with a dot may cause trouble if the local part
  # is used as a file name (e.g. for a mailing list).

  deny    local_parts   = ^.*[@%!/|] : ^\\.

  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.

  accept  local_parts   = postmaster
          domains       = +local_domains

  # Deny unless the sender address can be verified.
  require verify        = sender

  accept  authenticated = *

… and this is it. Hope you will find this useful. Sometimes it's a little hard to get this work, but it's a cool feature if it finally does what you want. You can also authenticate against something else, needn't be LDAP, but you will have to read the exim docs to achieve that.

Letzte Änderung: 2012