Configuring Exim for SMTP AUTH using PAM

Software used

The following was written for exim4 on Debian Sarge, although the principles should apply to other Linux distributions. You must install exim4-daemon-heavy, which supports PAM, rather than exim4-daemon-light (which is installed by default). Testing was performed using Mozilla Thunderbird on an Ubuntu Dapper client.

Exim configuration

Exim can be configured from a single config file (/etc/exim4/exim4.conf.template), or a series of smaller files within a directory structure (/etc/exim4/conf.d/). Check for the following line in /etc/exim4/update-exim4.conf.conf:

dc_use_split_config='true'

If this line is present you are using the /etc/exim4/conf.d/ directory structure.

Enabling TLS

SMTP AUTH sends the username and password in base64 over the Internet, which means anyone could capture your password as it flies by. To prevent this you should encrypt your SMTP transaction with Transport Layer Security. Edit /etc/exim4/exim4.conf.template (or /etc/exim4/conf.d/main/03_exim4-config_tlsoptions) and find the following lines:

.ifdef MAIN_TLS_ENABLE
 1. Defines what hosts to 'advertise' STARTTLS functionality to. The
 1. default, *, will advertise to all hosts that connect with EHLO.

Enable TLS by inserting a line, so that it now reads:

MAIN_TLS_ENABLE=1
.ifdef MAIN_TLS_ENABLE
 1. Defines what hosts to 'advertise' STARTTLS functionality to. The
 1. default, *, will advertise to all hosts that connect with EHLO.

Configuring SMTP AUTH

If you are using multiple config files, create and edit a new file /etc/exim4/conf.d/auth/01_exim4-login. If you are using a single exim config file, open /etc/exim4/exim4.conf.template and edit the file after these lines:

######################################################################
 1.                   AUTHENTICATION CONFIGURATION                     #
######################################################################

begin authenticators

Insert the following lines:

login:
{{{
        driver = plaintext
        public_name = LOGIN
        server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
        server_prompts = "Username:: : Password::"
        server_condition = ${if pam{$1:$2}{1}{0}}
        server_set_id = $1

}}}

This enables LOGIN authentication, but only for clients that are using a connection secured with TLS.

Reloading the Exim configuration

Confirm and reload the new Exim configuration:

odie:/etc/exim4# update-exim4.conf
odie:/etc/exim4# /etc/init.d/exim4 reload
Reloading exim4 configuration files
odie:/etc/exim4#

PAM configuration

Build and install the pam_exim.so module

Download the pam_exim sources (http://www.e-admin.de/pam_exim/pam_exim.tgz), and the Linux-PAM sources (which match the version of PAM installed on your system) from http://kernel.org/pub/linux/libs/pam/pre/library/. Unpack the Linux-PAM sources, configure and make (but do not 'make install') them:

scuff@scuff:~/src$ tar xzf Linux-PAM-0.76.tar.gz
scuff@scuff:~/src$ cd Linux-PAM-0.76
scuff@scuff:~/src/Linux-PAM-0.76$ ./configure && make

Unpack the pam_exim sources into the Linux-PAM source directory:

scuff@scuff:~/src/Linux-PAM-0.76$ tar xzf ../pam_exim.tgz

Edit the file modules/pam_exim/unix_chkpwd.c and change the following lines:

#define MINUID          500
#define EXIMUID         8
#define EXIMGID         12

... to suit your system. MINUID is the UID of the first non-system user, EXIMUID and EXIMGID are the UID and GID, respectively, of the Debian-exim user. On my Debian Sarge system, this gave the following result:

#define MINUID          1000
#define EXIMUID         102
#define EXIMGID         102

If you are running a 2.6.x kernel, you must also apply the following patch to modules/pam_exim/support.c:

--- modules/pam_exim/support.c.orig     2006-08-25 17:35:45.030888296 +0100
+++ modules/pam_exim/support.c  2006-08-25 17:36:08.729285592 +0100
@@ -406,6 +406,8 @@
{{{
        return PAM_AUTH_ERR;
     }

+ + signal(SIGCHLD, SIG_DFL);

     /* fork */
     child = fork();
     if (child == 0) {
@@ -454,6 +456,7 @@
        retval = PAM_AUTH_ERR;
     }

+ signal(SIGCHLD, SIG_IGN);

     D(("returning %d", retval));
     return retval;
 }

}}}

(Patch taken from http://www.e-admin.de/pam_exim/owen-patch.c, authored by Greg Owen)

Build the pam_exim module:

scuff@scuff:~/src/Linux-PAM-0.76$ cd modules/pam_exim/
scuff@scuff:~/src/Linux-PAM-0.76/modules/pam_exim$ make

Finally, copy the binaries to their final destinations. The exim_chkpwd binary must be setuid to work:

scuff@scuff:~/src/Linux-PAM-0.76/modules/pam_exim$ sudo sh
Password:
sh-3.1# chown root:root exim_chkpwd
sh-3.1# chmod u=rxs exim_chkpwd
sh-3.1# mv exim_chkpwd /sbin/
sh-3.1# chmod a-x pam_exim.so
sh-3.1# mv pam_exim.so /lib/security/

Create the Exim PAM configuration

Create a file /etc/pam.d/exim which reads:

#%PAM-1.0

auth            required        pam_exim.so
account         required        pam_permit.so

Testing

Configure your mail client to send email using an authenticated TLS connection, and give it a go!

Notes

Make sure your users have strong passwords otherwise you'll turn yourself in to a relay.

You can change the "server_prompts" setting so it says something different (e.g. server_prompts = "Your username:: : Your password::") but this will break programs such as Outlook Express as these expect the base64 result of the words "Username:" and "Password:".

LinuxHints/EximSMTPAuth (last edited 2008-06-10 07:46:41 by 86)