Mr Zesty's BrainDump

User Tools

Site Tools

Trace: Exim SMTP Authentication against LDAP
exim_smtp_authentication_against_ldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
exim_smtp_authentication_against_ldap [2017/09/09 17:42]
ian created 		exim_smtp_authentication_against_ldap [2020/02/13 22:55] (current)
Line 14: Line 14:
 Fortunately exim has all the bits and pieces needed to do the LDAP lookups, it's just a matter of stringing them together. Fortunately exim has all the bits and pieces needed to do the LDAP lookups, it's just a matter of stringing them together.
  
 +<note tip>
 I found 'exim -be' to be very handy in debugging the exim expansions for each section. I found 'exim -be' to be very handy in debugging the exim expansions for each section.
 +</note>
  
 First we need to find the user's LDAP DN based on a uid lookup of the supplied username: First we need to find the user's LDAP DN based on a uid lookup of the supplied username:
Line 66: Line 68:
 $ echo -en '\[email protected]\0testpass' | base64 $ echo -en '\[email protected]\0testpass' | base64
 AHRlc3R1c2VyQGRvbWFpbi5jYQB0ZXN0cGFzcw== AHRlc3R1c2VyQGRvbWFpbi5jYQB0ZXN0cGFzcw==
 +</code>
 +auth login uses 2 separate base64 strings for username (4oCcVXNlcm5hbWU6) and password (UGFzc3dvcmQ64oCd)
 +<code>
 +$ echo -n '[email protected]' | base64
 +dGVzdHVzZXJAZG9tYWluLmNh
 +$ echo -n 'testpass' | base64
 +dGVzdHBhc3M=
 </code> </code>
 </note> </note>
Line 72: Line 81:
 :~$ exim4 -bhc 66.55.44.33 -d+all :~$ exim4 -bhc 66.55.44.33 -d+all
 ... ...
-220 cusw04-02.cusw.ca ESMTP Sat, 09 Sep 2017 17:14:32 -0400+220 mail.domain.ca ESMTP Sat, 09 Sep 2017 17:14:32 -0400
 17:14:32 22572 smtp_setup_msg entered 17:14:32 22572 smtp_setup_msg entered
 ehlo mailhost.com ehlo mailhost.com
 ... ...
-250-cusw04-02.cusw.ca Hello mailhost.com [66.55.44.33]+250-mail.domain.ca Hello mailhost.com [66.55.44.33]
 250-SIZE 52428800 250-SIZE 52428800
 250-8BITMIME 250-8BITMIME
Line 135: Line 144:
 250-STARTTLS 250-STARTTLS
 250 HELP 250 HELP
-auth plain +auth login 
-334 +334 4oCcVXNlcm5hbWU6 
-AHRlc3R1c2VyQGRvbWFpbi5jYQB0ZXN0cGFzcw==+dGVzdHVzZXJAZG9tYWluLmNh 
 +334 UGFzc3dvcmQ64oCd 
 +dGVzdHBhc3M=
 235 Authentication succeeded 235 Authentication succeeded
 quit quit
Line 150: Line 161:
 logpath = /var/log/exim4/mainlog logpath = /var/log/exim4/mainlog
 </code> </code>
 +
 +You will probably want to have Exim listen to alternate ports (465/587), and allow auth only on encrypted connections:
 +<code>
 +daemon_smtp_ports = 25 : 465 : 587
 +tls_on_connect_ports = 465
 +auth_advertise_hosts = localhost : ${if eq{$tls_cipher}{}{}{*}}
 +</code>
 +
 +Ref:
 +http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_plaintext_authenticator.html
 +
  
exim_smtp_authentication_against_ldap.1504993375.txt.gz · Last modified: 2020/02/13 22:55 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki
free spam filter