gentoo-mirror/gentoo
1
0
Fork 0
mirror of https://github.com/gentoo-mirror/gentoo.git synced 2026-01-06 02:17:34 -08:00
Code Issues Projects Releases Wiki Activity

mail-mta/exim: update/append instructions for authenticators

Browse Source 
Previous iteration for PAM replacement with gsasl was based on a
misunderstanding.  Document the Cyrus SASL route using saslauthd, as the
Dovecot implementation is trivial (copy/paste from their docs).
Hopefully this allows people to get their instances up and running
within reasonable time.

Closes: https://bugs.gentoo.org/964558
Signed-off-by: Fabian Groffen <grobian@gentoo.org>
This commit is contained in:
Fabian Groffen 2025-10-19 09:58:02 +02:00
parent 10aa88b086
commit e03b214b3e
No known key found for this signature in database
GPG Key ID: CE95DA854E444293
1 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
mail-mta/exim/files/auth_conf.sub
View File

@ -1,25 +1,39 @@
###################################################################### ######################################################################
# AUTHENTICATION CONFIGURATION # # AUTHENTICATION CONFIGURATION #
###################################################################### ######################################################################
# Using PAM with Exim on Gentoo is non-ideal from security perspective, see: # Using PAM directly from Exim on Gentoo is non-ideal from security
# perspective, see:
# https://bugs.gentoo.org/964377 # https://bugs.gentoo.org/964377
# Suggestion is to use Dovecot's SASL # Suggestion is to use Dovecot's SASL
# https://doc.dovecot.org/2.4.1/howto/sasl/exim.html#exim-and-dovecot-sasl # https://doc.dovecot.org/2.4.1/howto/sasl/exim.html#exim-and-dovecot-sasl
# or GNU SASL # or Cyrus SASL's saslauthd
# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_gsasl_authenticator.html # https://exim-users.exim.narkive.com/joAt25zW/authentication-using-saslauthd-cyrus-sasl
# You will want to setup at least 2 directives for AUTH support that are
# only announced on secure connections (e.g. after STARTTLS) so the
# client never attempts to send the plain password over an unencrypted
# connection.
# The "plain" directive works for nearly everything except windows MUA's. # The "plain" directive works for nearly everything except windows MUA's.
# The "login" directive will allow you to authenticate your Outlook 2000 and # The "login" directive will allow you to authenticate your Outlook 2000 and
# outlook express clients. # outlook express clients.
# below an example of how to use Cyrus SASL in Exim's authenticators.
# below an example of how to use GNU SASL
#plain: #plain:
# driver = gsasl # driver = cyrus_sasl
# public_name = PLAIN # public_name = PLAIN
# server_set_id = $auth1 # server_set_id = $auth1
# server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
# #
#login: #login:
# driver = gsasl # driver = cyrus_sasl
# public_name = LOGIN # public_name = LOGIN
# server_set_id = $auth1 # server_set_id = $auth1
# server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
#
# to tell cyrus_sasl to connect to the saslauth deamon, you need a file
# /etc/sasl2/exim.conf containing:
#pwcheck_method: saslauthd
#
# and make sure you configure /etc/conf.d/saslauthd properly, e.g. use
# "-a shadow" for the simplest support, or when using pam that the
# appropriate /etc/pam.d/saslauthd is setup.