Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

Configuring Exim as an SMTP AUTH client only

 

 

exim users RSS feed   Index | Next | Previous | View Threaded


spamdan at fastmail

May 2, 2012, 6:18 PM

Post #1 of 5 (3147 views)
Permalink
Configuring Exim as an SMTP AUTH client only

Hi,

I'm new to Exim, so forgive me if this question has an obvious answer,
but I searched for several days and couldn't figure it out myself.

If I want to configure Exim as an SMTP AUTH client (but I don't need an
SMTP AUTH server) do I need to install Dovecot or Cyrus (or any other
SASL implementation or additional software) or do I simply need to
properly configure Exim's config file? Here's my situation, to be sure
that I am asking the question clearly: I have one host machine (CentOS)
running Exim with several local user accounts and I do not plan to allow
any users from remote machines to use this Exim implementation, so I do
not think I need to configure it for authenticated IMAP or POP. This is
why I am not certain if I need Dovecot or Cyrus or any other software.
However, my ISP blocks port 25 outbound but offers an outgoing mail
server relay for me to connect to on port 587. So, if I'm not mistaken,
I need to configure Exim on my host for SMTP AUTH as a client to this
ISPs outgoing server. But I'm not sure if Exim has everything necessary
to make an authenticated connection as a client. Do I need to configure
certificates? Or is everything I need in the exim.conf file? I have
already tried to modify the "smarthost" and "client auth" sections of
exim.conf with no success.

If there is an example (or tutorial) that might get me going in the
right direction for this kind of setup, or if anyone would be willing to
give me a general roadmap, I would greatly appreciate it.

Thanks.

Dan
--
Spam Dan
spamdan [at] fastmail

--
http://www.fastmail.fm - A fast, anti-spam email service.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


Frank.Elsner at TU-Berlin

May 3, 2012, 2:54 AM

Post #2 of 5 (3061 views)
Permalink
Re: Configuring Exim as an SMTP AUTH client only [In reply to]

On Wed, 02 May 2012 21:18:41 -0400 Dan wrote:
> Hi,
>
> I'm new to Exim, so forgive me if this question has an obvious answer,
> but I searched for several days and couldn't figure it out myself.

Really not hard to find:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch33.html


--Frank Elsner

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

May 3, 2012, 3:50 AM

Post #3 of 5 (3063 views)
Permalink
Re: Configuring Exim as an SMTP AUTH client only [In reply to]

On 2012-05-02 at 21:18 -0400, Dan wrote:
> If I want to configure Exim as an SMTP AUTH client (but I don't need an
> SMTP AUTH server) do I need to install Dovecot or Cyrus (or any other
> SASL implementation or additional software) or do I simply need to
> properly configure Exim's config file?

The latter. Probably looking up the password from an external file.

> If there is an example (or tutorial) that might get me going in the
> right direction for this kind of setup, or if anyone would be willing to
> give me a general roadmap, I would greatly appreciate it.

You configure something after "begin authenticators", as an
authentication driver, for the correct SASL method.

For instance, if the server you're talking to "AUTH CRAM-MD5 PLAIN" you
might configure:

auth_cram:
driver = cram_md5
public_name = CRAM-MD5
client_name = dan
client_secret = sekret

In reality, you'll use something like ${lookup...} instead of
hard-coding passwords in the config file.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


spamdan at fastmail

May 3, 2012, 11:24 AM

Post #4 of 5 (3077 views)
Permalink
Re: Configuring Exim as an SMTP AUTH client only [In reply to]

Thanks, Phil. I tried your suggestion but still no luck - the config
file that came with the version of Exim I'm using had 'client_auth'
instead of 'auth_cram' but I tried both.

Allow me to post some output in case anyone can spot something out of
the ordinary. Below is the output of my telnet connection to my ISPs
mail relay, the output of "exim -bV", the output of my telnet connection
to my own Exim instance, and my exim.conf file. Names & IPs used for
obfuscation: myhost, mydomain.org, isp-relay.org, 1.2.3.4, 2.3.4.5.
Also, I left out the ACL section of exim.conf because I didn't change it
from default and it took up a lot of space. Most of exim.conf is
default anyway, with the exception of changes I made to
primary_hostname, dnslookup (which I commented out based on the
commented instructions in exim.conf), smarthost, remote_msa, and
client_auth. Also, for the record, I am using Mutt as my MUA and I can
receive mail there from my gmail account, but sending mail gives me no
errors in the form of a returned message or anything in exim's log
files.

[me [at] myhos ~]$ telnet mx.isp-relay.org 587
Trying 1.2.3.4...
Connected to mx.isp-relay.org.
Escape character is '^]'.
220 remotehost.isp-relay.org ESMTP Sendmail 8.14.5/8.14.3; Thu, 3 May
2012 14:45:33 GMT
ehlo localhost
250-remotehost.isp-relay.org Hello pool-2-3-4-5.bstnma.btas.verizon.net
[2.3.4.5], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE 100000000
250-AUTH CRAM-MD5 DIGEST-MD5 PLAIN NTLM
250-DELIVERBY
250 HELP
quit
221 2.0.0 remotehost.isp-relay.org closing connection
Connection closed by foreign host.

[me [at] myhos ~]$ exim -bV
Exim version 4.72 #1 built 24-May-2011 17:40:23
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 4.7.25: (June 4, 2010)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers
OpenSSL Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 nisplus passwd sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
OpenSSL compile-time version: OpenSSL 1.0.0-fips 29 Mar 2010
OpenSSL runtime version: OpenSSL 1.0.0-fips 29 Mar 2010
Configuration file is /etc/exim/exim.conf

[me [at] myhos ~]$ telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mydomain.org ESMTP Exim 4.72 Thu, 03 May 2012 09:59:47 -0400
ehlo localhost
250-mydomain.org Hello localhost [::1]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP
quit
221 mydomain.org closing connection
Connection closed by foreign host.

[me [at] myhos ~]$ cat /etc/exim/exim.conf
# $Cambridge: exim/exim-src/src/configure.default,v 1.14 2009/10/16
07:46:13 tom Exp $
# Runtime configuration file for Exim #
# MAIN CONFIGURATION SETTINGS #

primary_hostname = mydomain.org

domainlist local_domains = @ : localhost : localhost.localdomain
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1

acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime

av_scanner = clamd:/var/run/clamd.exim/clamd.sock

tls_advertise_hosts = *

tls_certificate = /etc/pki/tls/certs/exim.pem
tls_privatekey = /etc/pki/tls/private/exim.pem

daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465

never_users = root

host_lookup = *

auth_advertise_hosts =

rfc1413_hosts = *
rfc1413_query_timeout = 5s

ignore_bounce_errors_after = 2d

timeout_frozen_after = 7d

# ACL CONFIGURATION #

# I didn't change anything from default in the ACL config so I removed
it to save space for the purposes of this post

# ROUTERS CONFIGURATION #

begin routers

#dnslookup:
# driver = dnslookup
# domains = ! +local_domains
# transport = remote_smtp
# ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# no_more

smarthost:
driver = manualroute
domains = ! +local_domains
transport = remote_msa
route_data = mx.isp-relay.org
no_more

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
# user = exim
file_transport = address_file
pipe_transport = address_pipe

userforward:
driver = redirect
check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
file = $home/.forward
allow_filter
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

procmail:
driver = accept
check_local_user
require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
transport = procmail
no_verify

localuser:
driver = accept
check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
transport = local_delivery
cannot_route_message = Unknown user

# TRANSPORTS CONFIGURATION #

begin transports


# This transport is used for delivering messages over SMTP connections.

remote_smtp:
driver = smtp

# This transport is used for delivering messages over SMTP using the
# "message submission" port (RFC4409).

remote_msa:
driver = smtp
port = 587
hosts_require_auth = *


# This transport invokes procmail to deliver mail
procmail:
driver = pipe
command = "/usr/bin/procmail -d $local_part"
return_path_add
delivery_date_add
envelope_to_add
user = $local_part
initgroups
return_output

local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660

address_pipe:
driver = pipe
return_output

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

# RETRY CONFIGURATION #

begin retry

* * F,2h,15m; G,16h,1h,1.5; F,4d,6h

# REWRITE CONFIGURATION #

begin rewrite

# AUTHENTICATION CONFIGURATION #

begin authenticators

client_auth:
driver = cram_md5
public_name = CRAM-MD5
client_name = my-username.isp-relay.org
client_secret = my-password

PLAIN:
driver = plaintext
server_set_id = $auth2
server_prompts = :
server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}}
server_advertise_condition = ${if def:tls_cipher }

LOGIN:
driver = plaintext
server_set_id = $auth1
server_prompts = <| Username: | Password:
server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}}
server_advertise_condition = ${if def:tls_cipher }





On Thu, May 3, 2012, at 03:50 AM, Phil Pennock wrote:
> On 2012-05-02 at 21:18 -0400, Dan wrote:
> > If I want to configure Exim as an SMTP AUTH client (but I don't need an
> > SMTP AUTH server) do I need to install Dovecot or Cyrus (or any other
> > SASL implementation or additional software) or do I simply need to
> > properly configure Exim's config file?
>
> The latter. Probably looking up the password from an external file.
>
> > If there is an example (or tutorial) that might get me going in the
> > right direction for this kind of setup, or if anyone would be willing to
> > give me a general roadmap, I would greatly appreciate it.
>
> You configure something after "begin authenticators", as an
> authentication driver, for the correct SASL method.
>
> For instance, if the server you're talking to "AUTH CRAM-MD5 PLAIN" you
> might configure:
>
> auth_cram:
> driver = cram_md5
> public_name = CRAM-MD5
> client_name = dan
> client_secret = sekret
>
> In reality, you'll use something like ${lookup...} instead of
> hard-coding passwords in the config file.
>
> -Phil
--
Spam Dan
spamdan [at] fastmail

--
http://www.fastmail.fm - IMAP accessible web-mail


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


jgh at wizmail

May 5, 2012, 11:13 AM

Post #5 of 5 (3050 views)
Permalink
Re: Configuring Exim as an SMTP AUTH client only [In reply to]

On 2012-05-03 19:24, Dan wrote:
> Also, for the record, I am using Mutt as my MUA and I can
> receive mail there from my gmail account, but sending mail gives me no
> errors in the form of a returned message or anything in exim's log
> files.

How is your Mutt configured with respect to sending?

> client_auth:
> driver = cram_md5
> public_name = CRAM-MD5
> client_name = my-username.isp-relay.org

Is that name really correct; the name of your account on the smarthost?
Doublecheck it.

> client_secret = my-password
>
> PLAIN:
> driver = plaintext
> server_set_id = $auth2
> server_prompts = :
> server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}}
> server_advertise_condition = ${if def:tls_cipher }

You could try extending your "plain" authenticator to handle client-side
as well, as your smarthost supports it. However, your password would
be travelling the wire in clear, a security issue. I'm amazed your ISP
doesn't offer STARTTLS on 587. Do they support SSL-on-connect
(most common on 465)?

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.