Tue, 08 Jul 2003
SMTP Authentication in Exim
At work, we recently took our Microsoft Exchange Server off the front lines. It still handles internal mail, but all external connections are made via Linux servers running Exim.
The motivation for the change was spam. We discovered we could eliminate about 50% of our spam by using the Spamhaus RBL. It is trivial to configure Exim to use an RBL. The same can't be said for Exchange Server. Simply making a Linux server the primary MX wasn't enough. The spammers just backed off to other MX hosts, the Exchange Server being one of them.
So, we configured back-up MX support on three separate domains each on different broadband networks. They each provide backup MX for the other two and they each use the same RBLs. Spam on all three domains dropped dramatically.
We had, however, relied on the Exchange Server to provide our road warriors with SMTP access. We allowed relaying from IP address on the internal network and for authenticated connections from the Internet.
I was unable to find a way to allow relaying for authenticated connections while disallowing any mail delivery from unauthenticated connections. So, I simply added SMTP authentication support to one of the Exim servers.
The following configuration was added to a new, 7th section in the exim.conf file:
# End the Rewrite section. It was implicitly ended here before,
# because this was the end of the file.
end
################################################################
# AUTHENTICATION CONFIGURATION #
################################################################
auth_login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if eq{$2}{${lookup{$1}lsearch\
{/etc/exim/passwd}{$value}fail}}{1}{0}}"
server_set_id = $1
auth_plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if eq{$3}{${lookup{$2}lsearch\
{/etc/exim/passwd}{$value}fail}}{1}{0}}"
server_set_id = $2
auth_cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = "${lookup{$1}lsearch{/etc/exim/passwd}\
{$value}fail}"
server_set_id = $1
I started with CRAM-MD5 hoping, but not expecting, the remote Microsoft Outlook clients would use it to authenticate without sending clear text passwords. Not surprisingly, Outlook did not use it.
Next, I added the PLAIN method. This time, I was surprised when Outlook did not use it. I resorted to sniffing the authentication transactions between an Outlook client and the Exchange Server and discovered that the LOGIN method was being used. So, finally, I added LOGIN support. The other two remain to support any mail clients we may employ in the future that use them.
The password file /etc/exim/passwd
is a simple key value list of user
IDs and passwords:
alice: sea-kert
bob: mySecret
One step closer to a non-Microsoft network!
About this weblog
This site is the personal weblog of Marc Mims. You can contact Marc
by sending e-mail to:
[email protected].
Marc writes here about cycling, programming, Linux, and other items of personal interest.
This site is syndicated with RSS.
Archives
Credits
CSS stolen from Tom Coates who didn't even complain.