mathieu ruellan
2005-Aug-29 21:37 UTC
[Pkg-exim4-users] I don''t succed to use tls + auth pam for relay
Hi all, I try to make my smtp server able to relay when a users is authentified over a tls connection ... I''m using a debian stable (sarge) with splited files! no 250-AUTH line appears :( here the result of the test command: ================================================> swaks -s localhost -t ticoli@hotmail.com -f ticoli@hotmail.com -tlso --local-interface 62.39.254.88 -a -au mathieu -ap XXXXX === Trying localhost:25... === Connected to localhost. <- 220 breizh-biniou ESMTP Exim 4.50 Mon, 29 Aug 2005 17:23:49 +0200 -> EHLO breizh-biniou <- 250-breizh-biniou Hello 88.254.39-62.rev.gaoland.net [62.39.254.88] <- 250-SIZE 52428800 <- 250-PIPELINING <- 250-STARTTLS <- 250 HELP -> STARTTLS <- 220 TLS go ahead === TLS started w/ cipher DHE-RSA-AES256-SHA ~> EHLO breizh-biniou <~ 250-breizh-biniou Hello 88.254.39-62.rev.gaoland.net [62.39.254.88] <~ 250-SIZE 52428800 <~ 250-PIPELINING <~ 250 HELP *** ANY authentication not supported ~> QUIT <~ 221 breizh-biniou closing connection ================================================ Debian-exim is added in the shadow group ... and I add file /etc/pam.d/exim : =========================cat > /etc/pam.d/exim #%PAM-1.0 auth required pam_unix.so account required pam_permit.so ========================= If somebody can have a look to my /var/lib/exim4/config.autogenerated (i''m using splited files) ...> cat /var/lib/exim4/config.autogenerated######### # WARNING WARNING WARNING # WARNING WARNING WARNING # WARNING WARNING WARNING # WARNING WARNING WARNING # WARNING WARNING WARNING # this file is generated dynamically from the files in # CONFDIR/conf.d/ or /etc/exim4/exim4.conf.template respectively and # /etc/exim4/update-exim4.conf.conf # Any changes you make here will be lost. # See /usr/share/doc/exim4-base/README.Debian.gz and update-exim4.conf(8) # for instructions of customization. # WARNING WARNING WARNING # WARNING WARNING WARNING # WARNING WARNING WARNING # WARNING WARNING WARNING # WARNING WARNING WARNING ######### MAIN_TLS_ENABLE = true MAIN_TLS_ADVERTISE_HOSTS = * exim_path = /usr/sbin/exim4 .ifndef CONFDIR CONFDIR = /etc/exim4 .endif .ifndef DC_minimaldns .endif .ifndef DC_visiblename DC_visiblename=breizh-biniou.dyndns.org .endif .ifndef MAIN_LOCAL_DOMAINS MAIN_LOCAL_DOMAINS @:localhost:breizh-biniou.no-ip.org:breizh-biniou.dyndns.org .endif domainlist local_domains = MAIN_LOCAL_DOMAINS .ifndef MAIN_RELAY_TO_DOMAINS MAIN_RELAY_TO_DOMAINS .endif domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS .ifndef MAIN_RELAY_NETS MAIN_RELAY_NETS = 192.168.1.0/24 .endif hostlist relay_from_hosts = 127.0.0.1 : ::::1 : MAIN_RELAY_NETS .ifdef DC_visiblename qualify_domain = DC_visiblename .endif .ifndef DCreadhost DCreadhost .endif .ifndef DCsmarthost DCsmarthost = smtp.9online.fr .endif .ifdef MAIN_LOCAL_INTERFACES local_interfaces = MAIN_LOCAL_INTERFACES .else .endif .ifndef LOCAL_DELIVERY LOCAL_DELIVERY=maildir_home .endif gecos_pattern = ^([^,:]*) gecos_name = $1 .ifndef DCconfig_satellite .ifndef DCconfig_internet .ifndef DCconfig_local .ifndef DCconfig_smarthost DCconfig_internet = 1 .endif .endif .endif .endif .ifndef CHECK_RCPT_LOCAL_LOCALPARTS CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|\''`#&?] .endif .ifndef CHECK_RCPT_REMOTE_LOCALPARTS CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!\''`#&?] : ^.*/\\.\\./ .endif .ifndef MAIN_ACL_CHECK_RCPT MAIN_ACL_CHECK_RCPT = acl_check_rcpt .endif acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT .ifndef MAIN_ACL_CHECK_DATA MAIN_ACL_CHECK_DATA = acl_check_data .endif acl_smtp_data = MAIN_ACL_CHECK_DATA .ifdef MESSAGE_SIZE_LIMIT message_size_limit = MESSAGE_SIZE_LIMIT .endif .ifdef MAIN_ALLOW_DOMAIN_LITERALS allow_domain_literals .endif .ifndef DC_minimaldns .ifndef MAIN_HOST_LOOKUP MAIN_HOST_LOOKUP = * .endif host_lookup = MAIN_HOST_LOOKUP .endif .ifndef MAIN_FORCE_SENDER local_from_check = false local_sender_retain = true untrusted_set_sender = * .endif .ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d .endif ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER .ifndef MAIN_TIMEOUT_FROZEN_AFTER MAIN_TIMEOUT_FROZEN_AFTER = 7d .endif timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER .ifndef MAIN_FREEZE_TELL MAIN_FREEZE_TELL = postmaster .endif freeze_tell = MAIN_FREEZE_TELL .ifndef SPOOLDIR SPOOLDIR = /var/spool/exim4 .endif spool_directory = SPOOLDIR .ifndef MAIN_TRUSTED_USERS MAIN_TRUSTED_USERS = uucp .endif trusted_users = MAIN_TRUSTED_USERS .ifdef MAIN_TRUSTED_GROUPS trusted_groups = MAIN_TRUSTED_GROUPS .endif .ifdef MAIN_TLS_ENABLE .ifndef MAIN_TLS_ADVERTISE_HOSTS MAIN_TLS_ADVERTISE_HOSTS = * .endif tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS .ifndef MAIN_TLS_CERTIFICATE MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt .endif tls_certificate = MAIN_TLS_CERTIFICATE .ifndef MAIN_TLS_PRIVATEKEY MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key .endif tls_privatekey = MAIN_TLS_PRIVATEKEY .ifndef MAIN_TLS_VERIFY_CERTIFICATES MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\ {/etc/ssl/certs/ca-certificates.crt}\ {/dev/null}} .endif tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES .ifdef MAIN_TLS_VERIFY_HOSTS tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS .endif .ifndef MAIN_TLS_TRY_VERIFY_HOSTS MAIN_TLS_TRY_VERIFY_HOSTS = * .endif tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS .endif begin acl acl_whitelist_local_deny: accept hosts = ${if exists{CONFDIR/local_host_whitelist}\ {CONFDIR/local_host_whitelist}\ {}} accept senders = ${if exists{CONFDIR/local_sender_whitelist}\ {CONFDIR/local_sender_whitelist}\ {}} .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE .endif acl_check_rcpt: accept hosts = : warn hosts = +relay_from_hosts control = submission/sender_retain .ifdef CHECK_RCPT_LOCAL_LOCALPARTS deny domains = +local_domains local_parts = CHECK_RCPT_LOCAL_LOCALPARTS message = restricted characters in address .endif .ifdef CHECK_RCPT_REMOTE_LOCALPARTS deny domains = !+local_domains local_parts = CHECK_RCPT_REMOTE_LOCALPARTS message = restricted characters in address .endif accept .ifndef CHECK_RCPT_POSTMASTER local_parts = postmaster .else local_parts = CHECK_RCPT_POSTMASTER .endif domains = +local_domains deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster !acl = acl_whitelist_local_deny senders = ${if exists{CONFDIR/local_sender_blacklist}\ {CONFDIR/local_sender_blacklist}\ {}} deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster !acl = acl_whitelist_local_deny hosts = ${if exists{CONFDIR/local_host_blacklist}\ {CONFDIR/local_host_blacklist}\ {}} .ifdef CHECK_RCPT_VERIFY_SENDER deny message = Sender verification failed !acl = acl_whitelist_local_deny !verify = sender .endif deny !acl = acl_whitelist_local_deny senders = ${if exists{CONFDIR/local_sender_callout}\ {CONFDIR/local_sender_callout}\ {}} !verify = sender/callout deny !acl = acl_whitelist_local_deny recipients = ${if exists{CONFDIR/local_rcpt_callout}\ {CONFDIR/local_rcpt_callout}\ {}} !verify = recipient/callout .ifdef CHECK_RCPT_REVERSE_DNS warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ {yes}{no}} .endif .ifdef CHECK_RCPT_IP_DNSBLS warn message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) dnslists = CHECK_RCPT_IP_DNSBLS .endif .ifdef CHECK_RCPT_DOMAIN_DNSBLS warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ {CONFDIR/local_domain_dnsbl_whitelist}\ {}} dnslists = CHECK_RCPT_DOMAIN_DNSBLS/$sender_address_domain .endif .ifdef CHECK_RCPT_LOCAL_ACL_FILE .include CHECK_RCPT_LOCAL_ACL_FILE .endif accept domains = +local_domains endpass message = unknown user verify = recipient accept domains = +relay_to_domains endpass .ifdef CHECK_RCPT_GIVE_UNKNOWN_USER message = ${if eq{$acl_verify_message}{Unrouteable address}{unknown user}{$acl_verify_message}} .else message = unrouteable address .endif verify = recipient accept hosts = +relay_from_hosts accept authenticated = * deny message = relay not permitted acl_check_data: .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX deny message = Message headers fail syntax check !acl = acl_whitelist_local_deny !verify = header_syntax .endif .ifdef CHECK_DATA_VERIFY_HEADER_SENDER deny message = No verifiable sender address in message headers !acl = acl_whitelist_local_deny !verify = header_sender .endif .ifdef CHECK_DATA_LOCAL_ACL_FILE .include CHECK_DATA_LOCAL_ACL_FILE .endif accept begin routers .ifdef MAIN_ALLOW_DOMAIN_LITERALS domain_literal: debug_print = "R: domain_literal for $local_part@$domain" driver = ipliteral domains = ! +local_domains transport = remote_smtp .endif hubbed_hosts: debug_print = "R: hubbed_hosts for $domain" driver = manualroute domains = "${if exists{CONFDIR/hubbed_hosts}\ {partial-lsearch;CONFDIR/hubbed_hosts}\ fail}" route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}} transport = remote_smtp .ifdef DCconfig_internet dnslookup_relay_to_domains: debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain" driver = dnslookup domains = ! +local_domains : +relay_to_domains transport = remote_smtp same_domain_copy_routing = yes no_more dnslookup: debug_print = "R: dnslookup for $local_part@$domain" driver = dnslookup domains = ! +local_domains transport = remote_smtp same_domain_copy_routing = yes ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 no_more .endif .ifdef DCconfig_local nonlocal: debug_print = "R: nonlocal for $local_part@$domain" driver = redirect domains = ! +local_domains allow_fail data = :fail: Mailing to remote domains not supported no_more .endif .ifdef DCconfig_smarthost DCconfig_satellite smarthost: debug_print = "R: smarthost for $local_part@$domain" driver = manualroute domains = ! +local_domains transport = remote_smtp_smarthost route_list = * DCsmarthost byname host_find_failed = defer same_domain_copy_routing = yes no_more .endif real_local: debug_print = "R: real_local for $local_part@$domain" driver = accept domains = +local_domains local_part_prefix = real- check_local_user transport = LOCAL_DELIVERY system_aliases: debug_print = "R: system_aliases for $local_part@$domain" driver = redirect domains = +local_domains allow_fail allow_defer data = ${lookup{$local_part}lsearch{/etc/aliases}} .ifdef SYSTEM_ALIASES_USER user = SYSTEM_ALIASES_USER .endif .ifdef SYSTEM_ALIASES_GROUP group = SYSTEM_ALIASES_GROUP .endif .ifdef SYSTEM_ALIASES_FILE_TRANSPORT file_transport = SYSTEM_ALIASES_FILE_TRANSPORT .endif .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT .endif .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT .endif .ifdef DCconfig_satellite hub_user: debug_print = "R: hub_user for $local_part@$domain" driver = redirect domains = +local_domains data = ${local_part}@DCreadhost check_local_user hub_user_smarthost: debug_print = "R: hub_user_smarthost for $local_part@$domain" driver = manualroute domains = DCreadhost transport = remote_smtp_smarthost route_list = * DCsmarthost byname host_find_failed = defer same_domain_copy_routing = yes check_local_user .endif userforward: debug_print = "R: userforward for $local_part@$domain" driver = redirect domains = +local_domains check_local_user file = $home/.forward no_verify no_expn check_ancestor allow_filter directory_transport = address_directory file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply skip_syntax_errors syntax_errors_to = real-$local_part@$domain syntax_errors_text = \ This is an automatically generated message. An error has\n\ been found in your .forward file. Details of the error are\n\ reported below. While this error persists, you will receive\n\ a copy of this message for every message that is addressed\n\ to you. If your .forward file is a filter file, or if it is\n\ a non-filter file containing no valid forwarding addresses,\n\ a copy of each incoming message will be put in your normal\n\ mailbox. If a non-filter file contains at least one valid\n\ forwarding address, forwarding to the valid addresses will\n\ happen, and those will be the only deliveries that occur. procmail: debug_print = "R: procmail for $local_part@$domain" driver = accept domains = +local_domains check_local_user transport = procmail_pipe require_files = ${local_part}:\ ${if exists{/etc/procmailrc}\ {/etc/procmailrc}{${home}/.procmailrc}}:\ +/usr/bin/procmail no_verify no_expn maildrop: debug_print = "R: maildrop for $local_part@$domain" driver = accept domains = +local_domains check_local_user transport = maildrop_pipe require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop no_verify no_expn local_user: debug_print = "R: local_user for $local_part@$domain" driver = accept domains = +local_domains check_local_user local_parts = ! root transport = LOCAL_DELIVERY mail4root: debug_print = "R: mail4root for $local_part@$domain" driver = redirect domains = +local_domains data = /var/mail/mail file_transport = address_file local_parts = root user = mail group = mail begin transports address_file: debug_print = "T: address_file for $local_part@$domain" driver = appendfile delivery_date_add envelope_to_add return_path_add address_pipe: debug_print = "T: address_pipe for $local_part@$domain" driver = pipe return_fail_output address_reply: debug_print = "T: autoreply for $local_part@$domain" driver = autoreply mail_spool: debug_print = "T: appendfile for $local_part@$domain" driver = appendfile file = /var/mail/$local_part delivery_date_add envelope_to_add return_path_add group = mail mode = 0660 mode_fail_narrower = false maildir_home: debug_print = "T: maildir_home for $local_part@$domain" driver = appendfile .ifdef MAILDIR_HOME_MAILDIR_LOCATION directory = MAILDIR_HOME_MAILDIR_LOCATION .else directory = $home/Maildir .endif .ifdef MAILDIR_HOME_CREATE_DIRECTORY create_directory .endif .ifdef MAILDIR_HOME_CREATE_FILE create_file = MAILDIR_HOME_CREATE_FILE .endif delivery_date_add envelope_to_add return_path_add maildir_format .ifdef MAILDIR_HOME_DIRECTORY_MODE directory_mode = MAILDIR_HOME_DIRECTORY_MODE .else directory_mode = 0700 .endif .ifdef MAILDIR_HOME_MODE mode = MAILDIR_HOME_MODE .else mode = 0600 .endif mode_fail_narrower = false maildrop_pipe: debug_print = "T: maildrop_pipe for $local_part@$domain" driver = pipe path = "/bin:/usr/bin:/usr/local/bin" command = "/usr/bin/maildrop" return_path_add delivery_date_add envelope_to_add procmail_pipe: debug_print = "T: procmail_pipe for $local_part@$domain" driver = pipe path = "/bin:/usr/bin:/usr/local/bin" command = "/usr/bin/procmail" return_path_add delivery_date_add envelope_to_add remote_smtp: debug_print = "T: remote_smtp for $local_part@$domain" driver = smtp remote_smtp_smarthost: debug_print = "T: remote_smtp_smarthost for $local_part@$domain" driver = smtp hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}} tls_tempfail_tryclear = false address_directory: debug_print = "T: address_directory for $local_part@$domain" driver = appendfile envelope_to_add = true return_path_add = true check_string = "" escape_string = "" maildir_format begin retry * * F,2h,15m; G,16h,1h,1.5; F,4d,6h begin rewrite *@+local_domains ${lookup{${local_part}}lsearch{/etc/email-addresses}\ {$value}fail} Ffrs *@breizh-biniou.dyndns.org ${lookup{${local_part}}lsearch{/etc/email-addresses}{$value}fail} Ffrs begin authenticators cram_md5: driver = cram_md5 public_name = CRAM-MD5 client_name ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} client_secret ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} plain: driver = plaintext public_name = PLAIN .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS client_send = "${if !eq{$tls_cipher}{}{\ ^${extract{1}{::}\ {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\ ^${extract{2}{::}\ {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\ }fail}" .else client_send "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" .endif login: driver = plaintext public_name = LOGIN .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS client_send = "${if !eq{$tls_cipher}{}{}fail}\ : ${extract{1}{::}\ {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \ : ${extract{2}{::}\ {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" .else client_send = ": ${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" .endif -- Mathieu Ruellan mathieu.ruellan@breizh-biniou.dyndns.org
Marc Haber
2005-Aug-29 22:08 UTC
[Pkg-exim4-users] I don''t succed to use tls + auth pam for relay
On Mon, Aug 29, 2005 at 05:30:04PM +0200, mathieu ruellan wrote:> no 250-AUTH line appears :(AUTH is only advertised when AUTH is configured.> Debian-exim is added in the shadow group ... > and I add file /etc/pam.d/exim :Bad idea. See the docs.> If somebody can have a look to my /var/lib/exim4/config.autogenerated (i''m > using splited files) ...YOu have very obviously missed to read the docs, and didn''t configure any server authenticators. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
mathieu ruellan
2005-Aug-30 07:52 UTC
[Pkg-exim4-users] I don''t succed to use tls + auth pam for relay
Marc Haber said:> On Mon, Aug 29, 2005 at 05:30:04PM +0200, mathieu ruellan wrote: >> no 250-AUTH line appears :( > > AUTH is only advertised when AUTH is configured. > >> Debian-exim is added in the shadow group ... >> and I add file /etc/pam.d/exim : > > Bad idea. See the docs. >Yes, they said to put that: As usual, i wonder in which debian file? I would like conf files be clean ... Another question with debian the user is Debian-exim ... I think, "exim_user=Debian-exim exim_group=shadow" is better, no? regards, Mathieu>> If somebody can have a look to my /var/lib/exim4/config.autogenerated >> (i''m >> using splited files) ... > > YOu have very obviously missed to read the docs, and didn''t configure > any server authenticators. > > Greetings > Marc > > -- > ----------------------------------------------------------------------------- > Marc Haber | "I don''t trust Computers. They | Mailadresse im > Header > Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 > 72739834 > Nordisch by Nature | How to make an American Quilt | Fax: *49 621 > 72739835 > > _______________________________________________ > Pkg-exim4-users mailing list > Pkg-exim4-users@lists.alioth.debian.org > http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users >-- Mathieu Ruellan mathieu.ruellan@breizh-biniou.dyndns.org