Skip to content

AuthenticatedSmtpUsingPwauth

Jump to bottom Edit New page
Lena edited this page Sep 28, 2022 · 2 revisions
Add a custom sidebar
Clone this wiki locally

Authenticated SMTP using pwauth

Introduction

One of the options Exim has for authentication without root access is by using SASLAuthd from the Cyrus suite. However, there is another option: pwauth, which is probably more easy to setup and which can be used by multiple daemons (like Apache AND Exim). It is recommended you follow the instructions in the AuthenticatedSmtpUsingPam tutorial regarding encryption (TLS) as they won't be discussed here. This is based on a Debian 5.0/Lenny install.

Required Software

Compiling Exim

Since I run Debian 5.0/Lenny which has a package system, I did not need to compile Exim. Issueing apt-get install exim4 as root is enough (and most Debian users would not have to do that either because Exim4 is the standard MTA on Debian).

Since I only use plaintext as authenticator driver, I don't think there's much hocus-pocus in compiling Exim. If anyone has instructions on compiling, please edit this page.

Configuring and compiling pwauth

Download pwauth, extract the package and cd into the new directory:

wget 'http://unixpapa.com/software/pwauth-2.3.8.tar.gz'
tar xzf ./pwauth-2.3.8.tar.gz
cd pwauth-2.3.8/

As with any piece of software you compile yourself, you should read the README and the INSTALL file. They contain all the information you'll need to configure pwauth. Next, edit config.h and set it up to reflect your system. The settings I used are the following:

#define SHADOW_SUN
#define UNIX_LASTLOG
#define HAVE_LASTLOG_H
#define NOLOGIN_FILE "/etc/nologin"
#define MIN_NOLOGIN_UID 1
#define CHECK_LOGIN_EXPIRATION
#define CHECK_PASSWORD_EXPIRATION
#define SERVER_UIDS 33,101
#define MIN_UNIX_UID 500
#define SLEEP_LOCK "/var/run/pwauth.lock"

You need to give special attention to the line SERVER_UIDS, as that can differ for your system. It needs a list of UID (user ids) that can run pwauth. This list obviously needs to include the user that runs Debian-exim. On my system, Exim is run as user Debian-exim. To retrieve the UID for this user, I give the following command: grep Debian-exim /etc/passwd It gives the following output on my system: Debian-exim:x:101:105::/var/spool/exim4:/bin/false The UID is the number after the second ':' (so the UID is 101).

In case your wondering why I have two UIDs in the line SERVER_UIDS: UID 33 is the user Apache is running under.

When config.h is all set up, we can compile pwauth:

make

If compilation did not issue errors, we can install pwauth. Note that you need to run the following commands as root.

cp ./pwauth /usr/local/bin/
chown root:staff /usr/local/bin/pwauth
chmod 4755 /usr/local/bin/pwauth

Testing pwauth

Next, we should test to see if pwauth works. As root, type the following commands:

su -s /bin/bash Debian-exim
/usr/local/bin/pwauth ; echo $?

Then type the name of a user, hit enter, and type the password of a user. If the password is valid, the last command should display 0. If the password is invalid, the last command should display 1 or 2. For other numbers, refer to the INSTALL file in the pwauth directory.

If you are here, pwauth is set up correctly for Exim!

Configuring Exim

We need to tell Exim how to use pwauth. This is done using an authenticator. For my Debian system, I edited the file etc/exim4/exim4.conf.template. I added this: