Tue, 08 Jul 2003

SMTP Authentication in Exim

At work, we recently took our Microsoft Exchange Server off the front lines. It still handles internal mail, but all external connections are made via Linux servers running Exim.

The motivation for the change was spam. We discovered we could eliminate about 50% of our spam by using the Spamhaus RBL. It is trivial to configure Exim to use an RBL. The same can't be said for Exchange Server. Simply making a Linux server the primary MX wasn't enough. The spammers just backed off to other MX hosts, the Exchange Server being one of them.

So, we configured back-up MX support on three separate domains each on different broadband networks. They each provide backup MX for the other two and they each use the same RBLs. Spam on all three domains dropped dramatically.

We had, however, relied on the Exchange Server to provide our road warriors with SMTP access. We allowed relaying from IP address on the internal network and for authenticated connections from the Internet.

I was unable to find a way to allow relaying for authenticated connections while disallowing any mail delivery from unauthenticated connections. So, I simply added SMTP authentication support to one of the Exim servers.

The following configuration was added to a new, 7th section in the exim.conf file:


 # End the Rewrite section.  It was implicitly ended here before,
 # because this was the end of the file.
 end
 
 ################################################################
 #                AUTHENTICATION CONFIGURATION                  #
 ################################################################
 
 auth_login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = "Username:: : Password::"
    server_condition = "${if eq{$2}{${lookup{$1}lsearch\
                        {/etc/exim/passwd}{$value}fail}}{1}{0}}"
    server_set_id = $1
    
 auth_plain:
    driver = plaintext
    public_name = PLAIN
    server_condition = "${if eq{$3}{${lookup{$2}lsearch\
                        {/etc/exim/passwd}{$value}fail}}{1}{0}}"
    server_set_id = $2
 
 auth_cram:
    driver = cram_md5
    public_name = CRAM-MD5
    server_secret = "${lookup{$1}lsearch{/etc/exim/passwd}\
                     {$value}fail}"
    server_set_id = $1

I started with CRAM-MD5 hoping, but not expecting, the remote Microsoft Outlook clients would use it to authenticate without sending clear text passwords. Not surprisingly, Outlook did not use it.

Next, I added the PLAIN method. This time, I was surprised when Outlook did not use it. I resorted to sniffing the authentication transactions between an Outlook client and the Exchange Server and discovered that the LOGIN method was being used. So, finally, I added LOGIN support. The other two remain to support any mail clients we may employ in the future that use them.

The password file /etc/exim/passwd is a simple key value list of user IDs and passwords:


 alice: sea-kert
 bob:   mySecret

One step closer to a non-Microsoft network!

[/linux] [link]

About this weblog

This site is the personal weblog of Marc Mims. You can contact Marc by sending e-mail to:
marc@questright.com.

Marc writes here about cycling, programming, Linux, and other items of personal interest.

This site is syndicated with RSS.

Archives

Credits

CSS stolen from Tom Coates who didn't even complain.