Skip to content


Nigel Metheringham edited this page Nov 25, 2012 · 1 revision

Exim's string expansion gives you the ability to use authenticators that are currently not built in. One (and currently the only) example is CRAM-SHA1:

First, we need a pseudo-random challenge string. Exim has (as of version 4.60) no support for random numbers, so we use the PID and the unix time (seconds since 1970-01-01):

# main config
acl_smtp_auth = acl_check_auth

# acl config
   warn  set acl_c0 = <$pid.$tod_epoch@$primary_hostname>

Change "c0" if you already use this ACL variable to a free one.

The authenticator:

# authentication config

  driver = plaintext
  public_name = CRAM-SHA1
  server_prompts = $acl_c0
  server_set_id = ${sg {${extract {1}{ }{$1} }} {[^a-zA-Z0-9.-_]} {?}}
  server_condition = ${if eq \
      {${extract {2}{ }{$1} }} \
      {${hmac{sha1} \
        {${lookup {${extract {1}{ }{$1} }} lsearch {/etc/exim/passwd} {$value}fail}} \
        {$acl_c0} }} }

Here we use a lsearch lookup the get the password, you can replace it with the password lookup that suits your setup. However, we need the password in plaintext, not crypted or hashed.


  • The only hash methods supported (as of 4.60) are md5 and sha1. Exim has a builtin CRAM-MD5 authenticator, so using md5 make no sense.
  • The challenge string might look too simple to be secure, but the only requirement is that it must be unique over time, which is very unlikely to be violated on real world systems. If you are concerned about that, add delay = 1s to the warn ACL stanza.