2
### auth/30_exim4-config_examples
3
#################################
5
# The examples below are for server side authentication; they allow two
6
# styles of plain-text authentication against an CONFDIR/passwd file
7
# which should have user IDs in the first column and crypted passwords
8
# in the second. The columns need to be separated by ':'. For CRAM-MD5
9
# exim needs access to the UNECRYPTED passwd - the example below assumes
10
# it is avalable in the third column of CONFDIR/passwd
15
# server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
22
# server_prompts = "Username:: : Password::"
23
# server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
28
# public_name = CRAM-MD5
29
# server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}}
32
# Here is an example of CRAM-MD5 authentication against PostgreSQL:
36
# public_name = CRAM-MD5
37
# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$1}'}{$value}fail}
41
# See /usr/share/doc/exim4-base/README.SMTP-AUTH
44
# These examples below are the equivalent for client side authentication.
45
# They get the passwords from CONFDIR/passwd.client. This file should have
46
# three columns separated by colons, the first contains the name of the
47
# mailserver to authenticate against, the second the username and the third
48
# contains the password.
50
### # example for CONFDIR/passwd.client
51
### mail.server:blah:secret
57
public_name = CRAM-MD5
58
client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
59
client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
61
# Because AUTH PLAIN sends the password in clear, per default we only allow it
62
# over encrypted connections. If you want to change this disable the existing
63
# "client send" entry and enable the one below without the "if !eq{$tls_cipher}{}"
64
# by removing the hash-mark (#) at the beginning of the line.
68
client_send = "${if !eq{$tls_cipher}{}{\
70
{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
72
{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
74
# client_send = "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
76
# Because AUTH LOGIN sends the password in clear, per default we only allow it
77
# over encrypted connections. If you want to change this disable the existing
78
# "client send" entry and enable the one below without the "if !eq{$tls_cipher}{}"
79
# by removing the hash-mark (#) at the beginning of the line.
83
client_send = "${if !eq{$tls_cipher}{}{}fail}\
85
{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \
87
{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
88
# client_send = ": ${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"