Mailing List Archive

On 2023-10-20 Mihamina RKTMB via Exim-users <exim-users@lists.exim.org> wrote:
> Hi all,

> Running Archlinux, I installed exim 4.96.2.

> I want to implement server side PLAIN and LOGIN auth against PAM.
[...]
> I think there is a problem with my "server_condition" in each authenticator,
> bu tI cannot figure out what is the problem
> Would you help, please?

When I tested this ages ago for Debian I ended up with this conclusion:
| On Debian systems the PAM modules run as the same user as the calling
| program, so they cannot do anything you could not do yourself, and in
| particular cannot access /etc/shadow unless the user is in group shadow.
| - If you want to use /etc/shadow for Exim's SMTP AUTH you will need to
| run exim as group shadow. [...] We suggest using saslauthd instead.

Using dovecot as AUTH proxy should also work.

cu Andreas

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hello Mihamina and others,

Please note that LOGIN and PLAIN are not the better choice for security.
It is really better to use SCRAM-SHA-*(-PLUS) which are supported by Exim.

Regards,

Neustradamus
________________________________________
From: Mihamina RKTMB via Exim-users <exim-users@lists.exim.org>
Sent: Friday, October 20, 2023 14:08
To: exim-users@lists.exim.org
Subject: [exim] Server side PLAIN and LOGIN Auth against PAM

Hi all,

Running Archlinux, I installed exim 4.96.2.

I want to implement server side PLAIN and LOGIN auth against PAM.

In order to isolate issues, I make it without SSL for this 1rst step,
I will add SSL after sucessfully setting it up in clear text.

This is what I modified from the default configuration:

primary_hostname = <the hostname>
domainlist local_domains = @:<domain1>:<domain2>
hostlist relay_from_hosts = localhost

I changed the default daemon_smtp_ports to (because I dont use SSL, I
dont use 465):

daemon_smtp_ports = 25 : 587

The ACL section is the default one, strictly the same as
https://github.com/Exim/exim/blob/b94ea1bd61485a97c2d0dc2cab4c4d86ffe82e89/src/src/configure.default#L390

The Authenticators section has been modified and this is the full content:

begin authenticators
PLAIN:
driver = plaintext
server_set_id = $auth2
server_prompts = :
server_condition = ${if pam{$auth2:$auth3}{1}{0}}"
server_advertise_condition = *

# LOGIN authentication has traditional prompts and responses. There
is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.

LOGIN:
driver = plaintext
server_set_id = $auth1
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$auth1:$auth2}{1}{0}}"
server_advertise_condition = *

I also created a file named /etc/pam.d/exim (pam.d/ is traversable by
all, exim is readable by all) with the content

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth
nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so
retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so


The problem:
When I try to send a message by submitting it to port 587 using the
right credentials (Using Thunderbird), I get this in the logs:

PLAIN authenticator failed for ... 435 Unable to authenticate at
present (set_id=mihamina): 0"
LOGIN authenticator failed for ... 535 Incorrect authentication
data (set_id=mihamina)

I think there is a problem with my "server_condition" in each
authenticator, bu tI cannot figure out what is the problem
Would you help, please?

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

> | - If you want to use /etc/shadow for Exim's SMTP AUTH you will need to
> | run exim as group shadow. [...] We suggest using saslauthd instead.

I use PAM and pam_pop3:

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}
client_send = ^${extract{user}{$address_data}{$value}fail}^${extract{pass}{$address_data}{$value}fail}
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}${acl{hash}{$auth1,$auth2}}
server_set_id = $1

/etc/pam.d/exim:

auth required /usr/local/lib/pam_pop3.so hostname=localhost info pwprompt=Password: timeout=5
account required pam_permit.so

As the POP3 server I use `popa3d` invoked from inetd, rate limited. In order to
exclude Exim auth checks from rate limiting, I use a firewall redirecting
queries from localhost to another port:

add 10 reset tcp from not me to me 109
add 20 fwd lena.kiev.ua,109 tcp from me to me 110
add 2000 allow ip from any to any

In /etc/inetd.conf :

pop3 stream tcp nowait/0/5 root /usr/local/libexec/popa3d popa3d
pop3s stream tcp nowait/0/7 root /usr/local/bin/stunnel stunnel /usr/local/etc/stunnel/popa3d.conf
# 109:
pop2 stream tcp nowait root /usr/local/libexec/popa3d popa3d

/usr/local/etc/stunnel/popa3d.conf :

debug = 4
compression = zlib
pid =
cert = /usr/local/etc/stunnel/stunnel.pem
exec = /usr/local/libexec/popa3d
execargs = popa3d
options = NO_SSLv2
options = NO_SSLv3

In Exim+openssl I do allow (in openssl3 make config) SSL3, TLS1_1, TLS1_2,
DES, IDEA, RC2, RC3, RC5, WEAK-SSL-CIPHERS
because an alternative would be worse (fallback to plaintext).
Without tls_require_ciphers in Exim config, only:

tls_certificate = /etc/ssl/exim.crt
tls_privatekey = /etc/ssl/exim.pem
tls_dhparam = /usr/local/etc/exim/dhparam.pem
tls_advertise_hosts = ${if match{$sender_host_name}{\N\.mailgun\.us$\N}{}{*}}


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 10/21/23 15:14, * Neustradamus * via Exim-users wrote:
> Hello Mihamina and others,
>
> Please note that LOGIN and PLAIN are not the better choice for security.
> It is really better to use SCRAM-SHA-*(-PLUS) which are supported by Exim.
>
> Regards,
>
> Neustradamus

Neustradamus,

I do want to make this PLAIN and LOGIN work, then I will switch to
another method.

Do you have an authenticator content that will work against PAM, Please?

Regards


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/