This shows you the differences between two versions of the page.
exim_smtp_authentication_against_ldap [2017/09/09 17:54] 127.0.0.1 external edit |
exim_smtp_authentication_against_ldap [2020/02/13 22:55] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Exim SMTP Authentication against LDAP ====== | ||
- | |||
- | I wanted to block repeated failed attempts against SMTP auth using fail2ban, and the easiest way for to achieve that was to have fail2ban block based on the exim4 mainlog. | ||
- | |||
- | < | ||
- | 2017-09-09 13:19:03 login authenticator failed for (User) [80.82.77.175]: | ||
- | 2017-09-09 13:24:19 login authenticator failed for (User) [80.82.77.175]: | ||
- | 2017-09-09 13:29:34 login authenticator failed for (User) [80.82.77.175]: | ||
- | 2017-09-09 13:34:49 login authenticator failed for (User) [80.82.77.175]: | ||
- | </ | ||
- | |||
- | All the mail users are stored in LDAP, anonymous bind searching is enabled, and I wanted to re-bind to check the authentication. | ||
- | |||
- | Fortunately exim has all the bits and pieces needed to do the LDAP lookups, it's just a matter of stringing them together. | ||
- | |||
- | <note tip> | ||
- | I found 'exim -be' to be very handy in debugging the exim expansions for each section. | ||
- | </ | ||
- | |||
- | First we need to find the user's LDAP DN based on a uid lookup of the supplied username: | ||
- | |||
- | < | ||
- | ${lookup ldapdn{ldap:// | ||
- | </ | ||
- | |||
- | Connect to the LDAP server on localhost, use a BaseDN of ou=mail, | ||
- | |||
- | < | ||
- | :~$ exim -be | ||
- | > ${lookup ldapdn{ldap:// | ||
- | cn=Test User, | ||
- | > ^D | ||
- | </ | ||
- | |||
- | And a little sub-shell substitution to check the result with the ' | ||
- | < | ||
- | :~$ ldapsearch -xvvv -D$(exim -be ' | ||
- | </ | ||
- | |||
- | Based heavily on the example from the Exim documentation, | ||
- | < | ||
- | plain: | ||
- | driver = plaintext | ||
- | public_name = PLAIN | ||
- | server_condition = ${if and{{ !eq{}{$auth2} }{ \ | ||
- | ldapauth{\ | ||
- | user=" | ||
- | pass=${quote: | ||
- | ldap:// | ||
- | server_set_id = $auth2 | ||
- | server_prompts = : | ||
- | | ||
- | login: | ||
- | driver = plaintext | ||
- | public_name = LOGIN | ||
- | server_prompts = “Username:: | ||
- | server_condition = ${if and{{ !eq{}{$auth1} }{ \ | ||
- | ldapauth{\ | ||
- | user=" | ||
- | pass=${quote: | ||
- | ldap:// | ||
- | server_set_id = $auth1 | ||
- | </ | ||
- | |||
- | This can be tested first by using exim debug: | ||
- | <note tip> | ||
- | < | ||
- | $ echo -en ' | ||
- | AHRlc3R1c2VyQGRvbWFpbi5jYQB0ZXN0cGFzcw== | ||
- | </ | ||
- | auth login uses 2 separate base64 strings for username (4oCcVXNlcm5hbWU6) and password (UGFzc3dvcmQ64oCd) | ||
- | < | ||
- | $ echo -n ' | ||
- | dGVzdHVzZXJAZG9tYWluLmNh | ||
- | $ echo -n ' | ||
- | dGVzdHBhc3M= | ||
- | </ | ||
- | </ | ||
- | |||
- | < | ||
- | :~$ exim4 -bhc 66.55.44.33 -d+all | ||
- | ... | ||
- | 220 mail.domain.ca ESMTP Sat, 09 Sep 2017 17:14:32 -0400 | ||
- | 17:14:32 22572 smtp_setup_msg entered | ||
- | ehlo mailhost.com | ||
- | ... | ||
- | 250-mail.domain.ca Hello mailhost.com [66.55.44.33] | ||
- | 250-SIZE 52428800 | ||
- | 250-8BITMIME | ||
- | 250-PIPELINING | ||
- | 250-AUTH PLAIN LOGIN | ||
- | 250-STARTTLS | ||
- | 250 HELP | ||
- | 17:14:40 22572 SMTP>> | ||
- | 17:14:40 22572 250-SIZE 52428800 | ||
- | 17:14:40 22572 250-8BITMIME | ||
- | 17:14:40 22572 250-PIPELINING | ||
- | 17:14:40 22572 250-AUTH PLAIN LOGIN | ||
- | 17:14:40 22572 250-STARTTLS | ||
- | 17:14:40 22572 250 HELP | ||
- | auth plain | ||
- | 17:14:53 22572 SMTP<< | ||
- | 17:14:53 22572 SMTP>> | ||
- | 334 | ||
- | ... | ||
- | AHRlc3R1c2VyQGRvbWFpbi5jYQB0ZXN0cGFzcw== | ||
- | ... | ||
- | 17:19:47 22572 expanding: $auth2 | ||
- | 17:19:47 22572 result: [email protected] | ||
- | 17:19:47 22572 SMTP>> | ||
- | 235 Authentication succeeded | ||
- | quit | ||
- | </ | ||
- | |||
- | And then remotely using gnutls-bin for starttls | ||
- | < | ||
- | :~$ gnutls-cli --starttls --port 25 mail.domain.ca | ||
- | Processed 174 CA certificate(s). | ||
- | Resolving ' | ||
- | Connecting to ' | ||
- | |||
- | - Simple Client Mode: | ||
- | |||
- | 220 mail.domain.ca ESMTP Sat, 09 Sep 2017 16:34:53 -0400 | ||
- | ehlo mailhost.com | ||
- | 250-mail.domain.ca Hello dhcp.provider.com [44.33.22.11] | ||
- | 250-SIZE 52428800 | ||
- | 250-8BITMIME | ||
- | 250-PIPELINING | ||
- | 250-AUTH PLAIN LOGIN | ||
- | 250-STARTTLS | ||
- | 250 HELP | ||
- | starttls | ||
- | 220 TLS go ahead | ||
- | ^d | ||
- | *** Starting TLS handshake | ||
- | ... | ||
- | ehlo mailhost.com | ||
- | 250-mail.domain.ca Hello dhcp.provider.com [44.33.22.11] | ||
- | 250-SIZE 52428800 | ||
- | 250-8BITMIME | ||
- | 250-PIPELINING | ||
- | 250-AUTH PLAIN LOGIN | ||
- | 250-STARTTLS | ||
- | 250 HELP | ||
- | auth login | ||
- | 334 4oCcVXNlcm5hbWU6 | ||
- | dGVzdHVzZXJAZG9tYWluLmNh | ||
- | 334 UGFzc3dvcmQ64oCd | ||
- | dGVzdHBhc3M= | ||
- | 235 Authentication succeeded | ||
- | quit | ||
- | </ | ||
- | |||
- | This fail2ban already had a / | ||
- | < | ||
- | [exim] | ||
- | enabled = true | ||
- | port = all | ||
- | filter = exim | ||
- | logpath = / | ||
- | </ | ||
- | |||
- | Ref: | ||
- | http:// | ||
- | |||