This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
exim_smtp_authentication_against_ldap [2017/09/09 17:42] ian created |
exim_smtp_authentication_against_ldap [2020/02/13 22:55] (current) |
||
---|---|---|---|
Line 14: | Line 14: | ||
Fortunately exim has all the bits and pieces needed to do the LDAP lookups, it's just a matter of stringing them together. | Fortunately exim has all the bits and pieces needed to do the LDAP lookups, it's just a matter of stringing them together. | ||
+ | <note tip> | ||
I found 'exim -be' to be very handy in debugging the exim expansions for each section. | I found 'exim -be' to be very handy in debugging the exim expansions for each section. | ||
+ | </ | ||
First we need to find the user's LDAP DN based on a uid lookup of the supplied username: | First we need to find the user's LDAP DN based on a uid lookup of the supplied username: | ||
Line 66: | Line 68: | ||
$ echo -en ' | $ echo -en ' | ||
AHRlc3R1c2VyQGRvbWFpbi5jYQB0ZXN0cGFzcw== | AHRlc3R1c2VyQGRvbWFpbi5jYQB0ZXN0cGFzcw== | ||
+ | </ | ||
+ | auth login uses 2 separate base64 strings for username (4oCcVXNlcm5hbWU6) and password (UGFzc3dvcmQ64oCd) | ||
+ | < | ||
+ | $ echo -n ' | ||
+ | dGVzdHVzZXJAZG9tYWluLmNh | ||
+ | $ echo -n ' | ||
+ | dGVzdHBhc3M= | ||
</ | </ | ||
</ | </ | ||
Line 72: | Line 81: | ||
:~$ exim4 -bhc 66.55.44.33 -d+all | :~$ exim4 -bhc 66.55.44.33 -d+all | ||
... | ... | ||
- | 220 cusw04-02.cusw.ca ESMTP Sat, 09 Sep 2017 17:14:32 -0400 | + | 220 mail.domain.ca ESMTP Sat, 09 Sep 2017 17:14:32 -0400 |
17:14:32 22572 smtp_setup_msg entered | 17:14:32 22572 smtp_setup_msg entered | ||
ehlo mailhost.com | ehlo mailhost.com | ||
... | ... | ||
- | 250-cusw04-02.cusw.ca Hello mailhost.com [66.55.44.33] | + | 250-mail.domain.ca Hello mailhost.com [66.55.44.33] |
250-SIZE 52428800 | 250-SIZE 52428800 | ||
250-8BITMIME | 250-8BITMIME | ||
Line 135: | Line 144: | ||
250-STARTTLS | 250-STARTTLS | ||
250 HELP | 250 HELP | ||
- | auth plain | + | auth login |
- | 334 | + | 334 4oCcVXNlcm5hbWU6 |
- | AHRlc3R1c2VyQGRvbWFpbi5jYQB0ZXN0cGFzcw== | + | dGVzdHVzZXJAZG9tYWluLmNh |
+ | 334 UGFzc3dvcmQ64oCd | ||
+ | dGVzdHBhc3M= | ||
235 Authentication succeeded | 235 Authentication succeeded | ||
quit | quit | ||
Line 150: | Line 161: | ||
logpath = / | logpath = / | ||
</ | </ | ||
+ | |||
+ | You will probably want to have Exim listen to alternate ports (465/587), and allow auth only on encrypted connections: | ||
+ | < | ||
+ | daemon_smtp_ports = 25 : 465 : 587 | ||
+ | tls_on_connect_ports = 465 | ||
+ | auth_advertise_hosts = localhost : ${if eq{$tls_cipher}{}{}{*}} | ||
+ | </ | ||
+ | |||
+ | Ref: | ||
+ | http:// | ||
+ | |||