Nigel Metheringham edited this page Nov 29, 2012 · 2 revisions

Q0730

Question

How can I use the same passwords for SMTP authentication as I use for Courier IMAP access to my server?

Answer

You can access the Courier authdaemon from an Exim authenticator. You must arrange for the Exim user (often exim but sometimes mail) to be able to access the authdaemon socket (e.g. /var/run/courier/authdaemon/socket or /var/run/authdaemon.courier-imap/socket). The configuration is something of a hack, but it is reported to work.

begin authenticators

AUTHDAEMON_SOCKET = /path/to/authdaemon/socket

# LOGIN authenticator
login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = Username:: : Password::
  server_condition = ${extract {address} {${readsocket{AUTHDAEMON_SOCKET} \
    {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n} }} {yes} fail}
  server_set_id = $1

# PLAIN authenticator
plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_condition = ${extract {address} {${readsocket{AUTHDAEMON_SOCKET} \
    {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n} }} {yes} fail}
  server_set_id = $2

Don't set a macro AUTH in your configuration, otherwise this will not work!

You can also use CRAM authenticators (CRAM-SHA1 is hardly used by any mail client, but CRAM-MD5 is used by some). Note that you need at least Exim 4.43 for that. Passwords in Courier's userdb are stored CRYPTed by default, which cannot be used for CRAM, so you have to add the password in addition:

# userdbpw -hmac-md5 | userdb $user-login set hmac-md5pw
(password dialog...)
# makeuserdb

In Exim's main configuration:

acl_smtp_auth = acl_check_auth

In the ACL section:

acl_check_auth:
  accept set acl_c0 = <$pid.$tod_epoch@$primary_hostname>

In the authenticator section:

# CRAM-MD5, RFC2195
cram_md5:
  driver = plaintext
  public_name = CRAM-MD5
  server_prompts = $acl_c0
  server_set_id = ${sg {${extract {1}{ }{$1} }} {[^a-zA-Z0-9.-_]} {?}}
  server_condition = ${if eq \
    {${extract {address} \
      {${readsocket{AUTHDAEMON_SOCKET} \
        {AUTH ${strlen:exim\ncram-md5\n${str2b64:$acl_c0}\n${str2b64:$1}\n}\nexim\ncram-md5\n${str2b
64:$acl_c0}\n${str2b64:$1}\n} \
      }} \
    {$value} fail}} \
    {${extract {1}{ }{$1} }} \
    {yes}}

Change every occurrence of "md5" to "sha1" to have a CRAM-SHA1 authenticator. Current builds of Courier also support CRAM-SHA256 (after a security flaw was detected in SHA1, though it is more theoretically), so you could even add CRAM-SHA256.


Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.