.cindex "authentication" "DIGEST-MD5"
.cindex "authentication" "CRAM-MD5"
.cindex "authentication" "SCRAM-SHA-1"
+.cindex "authentication" "SCRAM-SHA-1-PLUS"
+.cindex "authentication" "SCRAM-SHA-256"
+.cindex "authentication" "SCRAM-SHA-256-PLUS"
The &(gsasl)& authenticator provides integration for the GNU SASL
library and the mechanisms it provides. This is new as of the 4.80 release
and there are a few areas where the library does not let Exim smoothly
made that any particular new authentication mechanism will be supported
without code changes in Exim.
-
.new
+The library is expected to add support in an upcoming
+realease for the SCRAM-SHA-256 method.
+The macro _HAVE_AUTH_GSASL_SCRAM_SHA_256 will be defined
+when this happens.
+
+
.option client_authz gsasl string&!! unset
This option can be used to supply an &'authorization id'&
which is different to the &'authentication_id'& provided
This is
only usable by mechanisms which support "channel binding"; at time of
writing, that's the SCRAM family.
+When using this feature the "-PLUS" variants of the method names need to be used.
.wen
This defaults off to ensure smooth upgrade across Exim releases, in case
top level domains the opendmarc library uses
during domain parsing. Maintained by Mozilla,
the most current version can be downloaded
-from a link at &url(https://publicsuffix.org/list/, currently pointing
-at https://publicsuffix.org/list/public_suffix_list.dat)
-See also util/renew-opendmarc-tlds.sh script.
+from a link at &url(https://publicsuffix.org/list/public_suffix_list.dat).
+See also the util/renew-opendmarc-tlds.sh script.
.new
The default for the option is unset.
If not set, DMARC processing is disabled.
begin transports
smtp:
- driver = smtp
- hosts = 127.0.0.1
+ driver = smtp
+ hosts = 127.0.0.1
allow_localhost
- port = PORT_D
+ port = PORT_D
.ifdef TRUSTED
- hosts_require_tls = *
+ hosts_require_tls = *
tls_verify_certificates = DIR/aux-fixed/cert1
tls_verify_cert_hostnames = :
.endif
- hosts_require_auth = *
+ hosts_require_auth = *
# ----- Authentication -----
.ifndef TRUSTED
sasl1:
- driver = gsasl
- public_name = ANONYMOUS
+ driver = gsasl
+ public_name = ANONYMOUS
server_set_id = $auth1
server_condition = true
sasl2:
- driver = gsasl
- public_name = PLAIN
+ driver = gsasl
+ public_name = PLAIN
server_set_id = $auth1
server_condition = ${if eq {$auth3}{pencil}}
.endif
sasl3:
- driver = gsasl
+ driver = gsasl
.ifdef TRUSTED
- public_name = SCRAM-SHA-1-PLUS
+ public_name = SCRAM-SHA-1-PLUS
server_advertise_condition = ${if def:tls_in_cipher}
server_channelbinding = true
.else
- public_name = SCRAM-SHA-1
+ public_name = SCRAM-SHA-1
.endif
# will need to give library salt, stored-key, server-key, itercount
client_channelbinding = true
.endif
+.ifdef _HAVE_AUTH_GSASL_SCRAM_SHA_256
+sasl4:
+ driver = gsasl
+.ifdef TRUSTED
+ public_name = SCRAM-SHA-256-PLUS
+ server_advertise_condition = ${if def:tls_in_cipher}
+ server_channelbinding = true
+.else
+ public_name = SCRAM-SHA-256
+.endif
+
+ server_scram_salt = QSXCR+Q6sek8bf92
+ server_password = pencil
+ server_condition = true
+ server_set_id = $auth1
+
+ client_condition = ${if eq {scram_sha_256}{$local_part}}
+ client_username = ph10
+ client_password = pencil
+.ifdef TRUSTED
+ client_channelbinding = true
+.endif
+.endif
+
# End
--- /dev/null
+# Exim test configuration 3825
+
+SERVER=
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+queue_only
+
+
+begin routers
+
+client_r:
+ driver = accept
+ condition = ${if !eq {SERVER}{server}}
+ transport = smtp
+
+begin transports
+
+smtp:
+ driver = smtp
+ hosts = 127.0.0.1
+ allow_localhost
+ port = PORT_D
+ hosts_require_auth = *
+
+# ----- Authentication -----
+
+begin authenticators
+
+.ifndef OPT
+sasl1:
+ driver = plaintext
+ public_name = PLAIN
+ server_prompts = :
+ server_condition = ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}}
+ server_set_id = $auth2
+
+sasl2:
+ driver = gsasl
+ public_name = PLAIN
+ client_condition = ${if eq {plain}{$local_part}}
+ client_username = ph10
+ client_password = mysecret
+
+.else
+sasl3:
+ driver = gsasl
+ public_name = PLAIN
+ server_condition = ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}}
+ server_set_id = $auth1
+
+sasl4:
+ driver = plaintext
+ public_name = PLAIN
+ client_condition = ${if eq {plain}{$local_part}}
+ client_send = ^ph10^mysecret
+
+.endif
+
+
+# End
+++ /dev/null
-# Exim test configuration 3828
-
-SERVER=
-
-.include DIR/aux-var/std_conf_prefix
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-queue_only
-
-
-begin routers
-
-client_r:
- driver = accept
- condition = ${if !eq {SERVER}{server}}
- transport = smtp
-
-begin transports
-
-smtp:
- driver = smtp
- hosts = 127.0.0.1
- allow_localhost
- port = PORT_D
- hosts_require_auth = *
-
-# ----- Authentication -----
-
-begin authenticators
-
-.ifndef OPT
-sasl1:
- driver = plaintext
- public_name = PLAIN
- server_prompts = :
- server_condition = ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}}
- server_set_id = $auth2
-
-sasl2:
- driver = gsasl
- public_name = PLAIN
- client_condition = ${if eq {plain}{$local_part}}
- client_username = ph10
- client_password = mysecret
-
-.else
-sasl3:
- driver = gsasl
- public_name = PLAIN
- server_condition = ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}}
- server_set_id = $auth1
-
-sasl4:
- driver = plaintext
- public_name = PLAIN
- client_condition = ${if eq {plain}{$local_part}}
- client_send = ^ph10^mysecret
-
-.endif
-
-
-# End
--- /dev/null
+3820
\ No newline at end of file
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl2 C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl4 C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl1:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+++ /dev/null
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl2 C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl4 C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl1:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
--- /dev/null
+# GSASL PLAIN authentication: gsasl driver vs. plaintext driver
+#
+# gsasl client against plaintext server
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim -odi plain@test.ex
+****
+killdaemon
+#
+# plaintext client against gsasl server
+exim -DSERVER=server -DOPT=y -bd -oX PORT_D
+****
+exim -odi -DOPT=y plain@test.ex
+****
+killdaemon
+no_msglog_check
--- /dev/null
+authenticator gsasl
+authenticator plaintext
+++ /dev/null
-# GSASL PLAIN authentication: gsasl driver vs. plaintext driver
-#
-# gsasl client against plaintext server
-exim -DSERVER=server -bd -oX PORT_D
-****
-exim -odi plain@test.ex
-****
-killdaemon
-#
-# plaintext client against gsasl server
-exim -DSERVER=server -DOPT=y -bd -oX PORT_D
-****
-exim -odi -DOPT=y plain@test.ex
-****
-killdaemon
-no_msglog_check
+++ /dev/null
-authenticator gsasl
-authenticator plaintext
--- /dev/null
+# GSASL SCRAM-SHA-256
+#
+exim -DSERVER=server -DTRUSTED -bd -oX PORT_D
+****
+exim -odi -DTRUSTED scram_sha_256@test.ex
+****
+killdaemon
+no_msglog_check
--- /dev/null
+authenticator gsasl
+feature _HAVE_AUTH_GSASL_SCRAM_SHA_256
git://git.exim.org / users / jgh / exim.git / commitdiff